Closed
Bug 1218111
Opened 9 years ago
Closed 9 years ago
Incorrect property enumeration order with unboxed objects
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
People
(Reporter: jandem, Assigned: jandem)
References
Details
(Keywords: regression)
Attachments
(1 file)
|
8.12 KB,
patch
|
bhackett1024
:
review+
lizzard
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Noticed this while working on bug 1175111, but it's a pre-existing issue.
The spec requires the following enumeration order: indexed properties, then string properties, then symbol properties. This doesn't work correctly for unboxed objects with expando properties, for instance symbols can be added before strings.
Fixing this in the enumerate hook is annoying, it requires duplicating the logic in EnumerateNativeProperties. We could have a templatized helper function and call that in both places, but the extra boilerplate isn't that great either (I tried this initially).
I think a simpler fix is to special-case unboxed plain objects with expandos and call EnumerateNativeProperties on the expando. The attached patch does this.
Attachment #8678485 -
Flags: review?(bhackett1024)
|
||
Comment 1•9 years ago
|
||
Comment on attachment 8678485 [details] [diff] [review]
Patch
Review of attachment 8678485 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jsiter.cpp
@@ +234,5 @@
> if (!MergeSort(ids, n, tmp.begin(), SortComparatorIntegerIds))
> return false;
> }
>
> + if (unboxed) {
The enumeration logic in this patch is kind of hard to follow, maybe add a comment here like:
If |unboxed| is set then |pobj| is the expando for an unboxed plain object we are enumerating. Add the unboxed properties themselves here since they are all property names that were given to the object before any of the expando's properties.
Attachment #8678485 -
Flags: review?(bhackett1024) → review+
|
||
Comment 3•9 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
status-firefox44:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla44
|
Assignee | |
Comment 4•9 years ago
|
||
Comment on attachment 8678485 [details] [diff] [review]
Patch
Approval Request Comment
[Feature/regressing bug #]: Bug 1162199.
[User impact if declined]: Might break some websites.
[Describe test coverage new/current, TreeHerder]: On m-c, adds testcase.
[Risks and why]: Low risk.
[String/UUID change made/needed]: None.
Attachment #8678485 -
Flags: approval-mozilla-beta?
Attachment #8678485 -
Flags: approval-mozilla-aurora?
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8678485 [details] [diff] [review]
Patch
Looks like it landed before the merge!
Attachment #8678485 -
Flags: approval-mozilla-aurora?
|
||
Comment 6•9 years ago
|
||
Tracking since this sounds like a regression from 41.
status-firefox41:
--- → wontfix
status-firefox42:
--- → affected
status-firefox43:
--- → affected
status-firefox45:
--- → affected
tracking-firefox43:
--- → +
tracking-firefox44:
--- → +
tracking-firefox45:
--- → +
Keywords: regression
|
|
||
Comment 7•9 years ago
|
||
Comment on attachment 8678485 [details] [diff] [review]
Patch
Fix for recent regression, adds tests. Approved for uplift to beta.
Attachment #8678485 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
||
Comment 8•9 years ago
|
||
This doesn't apply cleanly to beta:
grafting 311461:8d34c0a05a1f "Bug 1218111 - Fix property enumeration order of unboxed objects with expando properties. r=bhackett"
merging js/src/jsiter.cpp
warning: conflicts during merge.
merging js/src/jsiter.cpp incomplete! (edit conflicts, then use 'hg resolve --mark')
merging js/src/vm/UnboxedObject.cpp
abort: unresolved conflicts, can't continue
(use hg resolve and hg graft --continue)
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 9•9 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•