Closed
Bug 1304955
Opened 8 years ago
Closed 8 years ago
Tagged template literals parses incorrect from startup cache
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla52
| Tracking | Status | |
|---|---|---|
| firefox49 | --- | unaffected |
| firefox50 | --- | unaffected |
| firefox51 | + | fixed |
| firefox52 | - | fixed |
People
(Reporter: zbinlin, Assigned: emilio)
References
Details
(Keywords: regression)
Attachments
(1 file)
|
58 bytes,
text/x-review-board-request
|
jandem
:
review+
gchang
:
approval-mozilla-aurora+
|
Details |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0
Build ID: 20160922181628
Steps to reproduce:
New file /tmp/test.js:
```javascript
function foo(val) {
return val;
}
console.assert("bar" === foo(`bar`));
console.assert("bar" === (foo`bar`)[0]);
console.assert("bar" === foo(String.raw`bar`));
```
Load by `loadSubScriptWithOptions`:
```javascript
Services.scriptloader.loadSubScriptWithOptions("file:///tmp/test.js", {
target: {},
ignoreCache: false,
}); // load and cache
Services.scriptloader.loadSubScriptWithOptions("file:///tmp/test.js", {
target: {},
ignoreCache: false,
}); // load from startup cache
```
|
||
Comment 1•8 years ago
|
||
Looks like XDR bug around callsiteobj. regression range: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=41d8277af19246308bdf51bf0cd60da3498681b1&tochange=5c6582975b9ddaac43260767af201294849ac9a6 so this seems to be from bug 1283334. simplified testcase for js shell: var code = cacheEntry("assertEq('bar', String.raw`bar`);"); var g = newGlobal({ cloneSingletons: true }); evaluate(code, { global: g, saveBytecode: true }); evaluate(code, { global: g, loadBytecode: true }); the following code shows that different object is passed to function: var code = cacheEntry("(x => x.toSource())`bar`;"); var g = newGlobal({ cloneSingletons: true }); print(evaluate(code, { global: g, saveBytecode: true })); // ["bar"] print(evaluate(code, { global: g, loadBytecode: true })); // [,]
Blocks: 1283334
Status: UNCONFIRMED → NEW
status-firefox50:
--- → unaffected
status-firefox51:
--- → affected
status-firefox52:
--- → affected
Component: Untriaged → JavaScript Engine
Ever confirmed: true
Keywords: regression
Product: Firefox → Core
status-firefox49:
--- → unaffected
Leo, is this something we can fix in 51?
Flags: needinfo?(leo)
| Comment hidden (mozreview-request) |
|
Assignee | |
Comment 4•8 years ago
|
||
Not sure what the best way is to test this, any pointers arai?
Flags: needinfo?(arai.unmht)
|
|
||
Comment 5•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8802764 [details] Bug 1304955: Call site objects now store their elements as dense after bug 1283334. https://reviewboard.mozilla.org/r/87060/#review86120 I'd forward this review to jandem. About test, code in comment #1 will work. var code = cacheEntry("assertEq('bar', String.raw`bar`);"); var g = newGlobal({ cloneSingletons: true }); evaluate(code, { global: g, saveBytecode: true }); evaluate(code, { global: g, loadBytecode: true }); or, change the following test to check the value of tagged template. https://hg.mozilla.org/mozilla-central/annotate/f40960c63bfac865d510ec9da42eeed74c384082/js/src/jit-test/tests/xdr/trivial.js#l40 > // code call site object > test = "function f(a) { return a; }; f`a${4}b`;"; > evalWithCache(test, { assertEqBytecode: true, checkFrozen: true});
|
|
||
Updated•8 years ago
|
Attachment #8802764 -
Flags: review?(jdemooij)
|
|
||
Updated•8 years ago
|
Flags: needinfo?(arai.unmht)
Attachment #8802764 -
Flags: review?(arai.unmht)
| Comment hidden (mozreview-request) |
|
||
Comment 7•8 years ago
|
||
| mozreview-review | ||
Comment on attachment 8802764 [details] Bug 1304955: Call site objects now store their elements as dense after bug 1283334. https://reviewboard.mozilla.org/r/87060/#review86552 Thanks for fixing this. r=me with comments below addressed. ::: js/src/jit-test/tests/xdr/tagged-template-literals.js:1 (Diff revision 2) > +var code = cacheEntry("assertEq('bar', String.raw`bar`);"); Please also add a test based on the second test in comment 1, and assert the array is what we expect. ::: js/src/jsobj.cpp:1151 (Diff revision 2) > > static bool > GetScriptArrayObjectElements(JSContext* cx, HandleObject obj, MutableHandle<GCVector<Value>> values) > { > MOZ_ASSERT(!obj->isSingleton()); > MOZ_ASSERT(obj->is<ArrayObject>() || obj->is<UnboxedArrayObject>()); We should assert the array has no sparse elements: MOZ_ASSERT(!obj->isIndexed());
Attachment #8802764 -
Flags: review?(jdemooij) → review+
|
|
||
Comment 8•8 years ago
|
||
Regression, we should fix this before it's released.
| Comment hidden (mozreview-request) |
| Comment hidden (mozreview-request) |
|
|
Assignee | |
Comment 11•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=297fd8e651a6
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → ecoal95
|
||
Comment 12•8 years ago
|
||
Pushed by ecoal95@gmail.com: https://hg.mozilla.org/integration/autoland/rev/49246df91b04 Call site objects now store their elements as dense after bug 1283334. r=jandem
|
||
Comment 13•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/49246df91b04
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla52
|
||
Comment 14•8 years ago
|
||
Track 51+ as regression. Hi :emilio, Since this also affects 51, do you think the patch is worth uplifting to 51?
Flags: needinfo?(ecoal95)
|
|
Assignee | |
Comment 15•8 years ago
|
||
Comment on attachment 8802764 [details] Bug 1304955: Call site objects now store their elements as dense after bug 1283334. Approval Request Comment [Feature/regressing bug #]: bug 1283334 [User impact if declined]: JS regression. [Describe test coverage new/current, TreeHerder]: Automated tests added in the patch. [Risks and why]: Low, tested negative-diff fix. [String/UUID change made/needed]: None
Flags: needinfo?(ecoal95)
Attachment #8802764 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 16•8 years ago
|
||
Thanks for reminding me Gerry, I meant to have done this before :)
|
|
||
Comment 17•8 years ago
|
||
Comment on attachment 8802764 [details] Bug 1304955: Call site objects now store their elements as dense after bug 1283334. Fix a regression and add tests. Take it in 51 aurora.
Attachment #8802764 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
||
Comment 18•8 years ago
|
||
| bugherder uplift | ||
https://hg.mozilla.org/releases/mozilla-aurora/rev/1ec527fde116
|
||
Updated•8 years ago
|
Flags: needinfo?(leo)
You need to log in
before you can comment on or make changes to this bug.
Description
•