Closed Bug 22048 Opened 25 years ago Closed 24 years ago

XUL brutal sharing needs super-prototype love

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Windows NT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: mcafee, Assigned: brendan)

Details

(Keywords: js1.5)

Attachments

(5 files)

proposed fix (also for 22098)
752 bytes, patch
Details | Diff | Splinter Review
Linux degub build test results
7.33 KB, text/html
Details
proposed fix (diff -u format)
23.88 KB, patch
Details | Diff | Splinter Review
proposed fix (diff -wu format)
20.67 KB, patch
Details | Diff | Splinter Review
minimal xul testcase
409 bytes, text/plain
Details 
Got a JS emoticon error this morning,
input text field stopped accepting input and
I had to quit the app.  Not sure how I did this,
if you need more info I can research the problem more.
Status: NEW → ASSIGNED
Component: XPApps → chatzilla
Summary: IRC: JS emoticon error → IRC: JS emoticon error
(changing component to chatzilla)

Was the message something like "emoticon.search has no properties" around line
193 in test-static.js?

afaik, that's the only place in the code it's actually referred to as an
"emoticon".  This patch *should* prevent the hard error, but I've got no idea
how it actually occurs.  I'll check this in when the tree opens.

Index: munger.js
===================================================================
RCS file: /cvsroot/mozilla/extensions/irc/xul/lib/munger.js,v
retrieving revision 1.1
diff -u -r1.1 munger.js
--- munger.js   1999/11/29 03:57:33     1.1
+++ munger.js   1999/12/17 21:38:10
@@ -64,7 +64,7 @@
         else
             ary = text.match(this.entries[entry].regex);

-        if (ary != null)
+        if ((ary != null) && (ary[1]))
         {
             var startPos = text.indexOf(ary[1]);
yes, the error looked like that.
Didn't know about chatzilla component, nice!
Status: ASSIGNED → RESOLVED
Closed: 25 years ago
Resolution: --- → DUPLICATE
this seems to be cause by the sharing bug secribed in bug 22098

*** This bug has been marked as a duplicate of 22098 ***
Status: RESOLVED → REOPENED
THis
Assignee: rginda → brendan
Status: REOPENED → NEW
Status: NEW → ASSIGNED
Resolution: DUPLICATE → ---
Priority: P3 → P1
Er, that is to say: this is a distinct bug from 22098 -- see my comment with two
alternative fixes in bug 22098 for more.

/be
Target Milestone: M13
Summary: IRC: JS emoticon error → JS compiler-looks-up-RegExp bug exposed by brutal sharing in XUL
Summary: JS compiler-looks-up-RegExp bug exposed by brutal sharing in XUL → JS compiler-looks-up-RegExp bug exposed by XUL brutal sharing
Summary: JS compiler-looks-up-RegExp bug exposed by XUL brutal sharing → JS compiler-looks-up-RegExp (exposed by XUL brutal sharing)
The real patch to make chatzilla work is:

Index: test3-static.js
===================================================================
RCS file: /cvsroot/mozilla/extensions/irc/xul/tests/test3-static.js,v
retrieving revision 1.11
@@ -131,7 +132,8 @@
                                "event-tracer", true /* negate */,
                                false /* disable */);

-    obj.munger = new CMunger();
+    obj.munger = new CMunger();
+    /*
     obj.munger.addRule ("you-talking-to-me?", matchMyNick, "");
     obj.munger.addRule
         ("link", /((http|mailto|ftp)\:\/\/[^\)\s]*|www\.\S+\.\S[^\)\s]*)/,
@@ -140,13 +142,14 @@
         ("face",

/((^|\s)[\<\>]?[\;\=\:\8]\~?[\-\^\v]?[\)\|\(pP\<\>oO0\[\]\/\\](\s|$))/,
          insertSmiley);
-    obj.munger.addRule ("rheet", /(rhe+t\!*)/i, "rheet");
+    obj.munger.addRule ("rheet", /(rhee+t\!*)/i, "rheet");
     obj.munger.addRule ("bold", /(\*.*\*)/, "bold");
     obj.munger.addRule ("italic", /[^sS](\/.*\/)/, "italic");
     obj.munger.addRule ("teletype", /(\|.*\|)/, "teletype");
     obj.munger.addRule ("underline", /(\_.*\_)/, "underline");
     //obj.munger.addRule ("strikethrough", /(\-.*\-)/, "strikethrough");
     obj.munger.addRule ("smallcap", /(\#.*\#)/, "smallcap");
+    */

 }
Keywords: js1.5
OS: other → All
Hardware: Other → All
I'm going with my solution #1: Call JS_InitStandardClasses(cx) in the XUL code
that makes this "prototype global" object against which XUL scripts are
compiled."  Auto-cloning RegExp objects created by the JS compiler for literal
regular expressions imposes too much overhead on compile/exec evaluation (where
there is no brutal compile early, exec later in multiple contexts, sharing).

Patch coming up.

/be
Patch fixes both bugs.
Status: ASSIGNED → RESOLVED
Closed: 25 years ago25 years ago
Resolution: --- → FIXED
Fixed in rdf/content/src/nsXULPrototypeDocument.cpp.

/be
This is still showing up in the WinNT builds.
/foo/ instanceof RegExp fails in windows, works as expected in linux debug and
opt.
Status: RESOLVED → REOPENED
Component: chatzilla → Javascript Engine
OS: All → Windows NT
not sure who is JS qa, trying prashant
QA Contact: paulmac → desale
Clearing FIXED resolution due to reopen.  Setting QA Contact to rginda
QA Contact: desale → rginda
Resolution: FIXED → ---
Not an M13 stopper.  The problem is no longer that /hi/.test is not defined -- we 

fixed that.  Now the problem is that /hi/ instanceof RegExp is false in XUL 

windows because brutal sharing uses a secret global object to scope the 

compilation of /hi/, and then at runtime uses a DOM XUL window to scope the right 

operand, RegExp.  We've broken prototype identity, yay!



This can be fixed in M14, either by sharing one set of standard classes among all 

XUL windows, or by two-layer prototype hierarchy.



/be
Status: REOPENED → ASSIGNED
Target Milestone: M13 → M14
Summary: JS compiler-looks-up-RegExp (exposed by XUL brutal sharing) → XUL brutal sharing needs super-prototype love
uuh, ignore that attachment.  Wrong bug.
Argh, two-layer prototype hierarchy is impossible: say you have a XUL window, x, 
and the prototype document d.  Then if you make

d.Object.prototype === x.Object.prototype.__proto__

you can't arrange for

(new x.RegExp("hi")) instanceof x.Object

because JS supports only a single prototype per object 
(x.RegExp.prototype.__proto__ === x.RegExp.prototype, and 
x.RegExp.prototype.__proto__ === x.Object.prototype, and 
x.Object.prototype.__proto__ === null, but there cannot be any 
x.Object.prototype along that chain).

So we're left with one set of standard classes for all XUL windows.  This is 
certainly faster, too.  It requires changing the DOM code in nsGlobalWindow.cpp 
so that ::JS_InitStandardClasses is not always called.  For XUL windows, I think 
we want to clone each standard class constructor function; non-constructors such 
as Math we can share by reference.  We need constructor clones so that instances 
get parented by their particular XUL windows, not by the hidden XUL prototype 
document script object used for compilation.  Hope this is clear enough!

I'll hack up a patch to extend the JS API with JS_CloneStandardClasses.

/be
Assignee: brendan → waterson
Status: ASSIGNED → NEW
Remember, all XUL cometh not from the same security domain. We can load XUL
files just like regular content. So this may require some cleverness in the code
that is init-ing standard classes to determine whether it can share or not.
Status: NEW → ASSIGNED
moving to M15 because i am doomed.
Target Milestone: M14 → M15
I'd go further: XUL loaded from untrusted domains (not from the unified, 
singular domain of chrome:) should not brutally share the prototype document's 
script object for compile-time constructors (Function, RegExp).  Can we have a 
per-origin compile-time scope object?  That would seem to preserve the identity 
relations we crave, without compromising security.

/be
I'm a dumbass, typos messed up my example (note d for x everywhere after the 
first ==='s left operand):

(x.RegExp.prototype.__proto__ === d.RegExp.prototype, and 
d.RegExp.prototype.__proto__ === d.Object.prototype, and 
d.Object.prototype.__proto__ === null, but there cannot be any 
x.Object.prototype along that chain).

Anyway, same punchline: no "MI" or multiple prototype delegation a la Self in 
JS, wahhh.

/be
I promised a JS_CloneStandardObjects patch, but thinking about it more, I bet we 
can do even better, in terms of per-XUL-window set-new-document cost.

Instead of cloning a bunch of constructors, some of which may never be called, 
we should specialize the XUL window resolve hook (JSClass.resolve, or perhaps 
better: nsIJSScriptObject::Resolve) to look for undefined properties named by 
XUL scripts in the prototype document's script object.  If a property of the 
same name is found there, check its type (JS_TypeOfValue).  If JSTYPE_FUNCTION, 
then JS_CloneFunctionObject and JS_DefineProperty; else just JS_DefineProperty 
to share the value.

Waterson, I may cough up a patch for this if it'll help you.  I probably won't 
do the work in dom/src/base to avoid calling ::JS_InitStandardClasses, or the 
work to make a per-trust-domain locus of compilation scope and standard classes.

/be
OK, I don't think this is a js1.5 bug any more (although I still question the 
special case whereby e instanceof Exception is true no matter which 
Exception.prototype e delegates to, in a world of multiple top-level objects and 
their standard classes (including Exception)).

/be
Keywords: js1.5
brendan: backatcha.
Assignee: waterson → brendan
Status: ASSIGNED → NEW
Target Milestone: M15 → M16
I'm actually interested in revamping the context-universal e instanceof 
SyntaxError (e.g.) behavior, generalizing it so that instanceof works for brutal 
sharing embeddings of JS too.  Also, the way jsfun.c and jsexn.c conspire to 
implement this (js_exnHasInstance) seems flimsy, or hokey, or something -- but I 
haven't spent the time to think of a general way.  I'll do that now.

/be
Status: NEW → ASSIGNED
Keywords: js1.5
Target Milestone: M16 → M15
Read the -wu diffs for best code-buddying results.  Note also that I'm checking
in the fix for http://bugzilla.mozilla.org/show_bug.cgi?id=33391 (included in
jsfun.c).

/be
Looking for some r= love tonight (M15 deadline).

/be
Attached file minimal xul testcase 

    
    

    
  
js engine passes all tests, mozilla passes testcase.

    
    

    
  
Adding jband.

/be

    
    

    
  
r=jband

    
    

    
  
Thanks to jband's review, I fixed the #undef WRAP_EXCEPTION to be #undef
MAKE_EXCEPTION_CTOR, and I squished a warning by making the sentinel initializer
at the end of the exceptions table be {0,0,NULL} rather than {0,0}.

/be

    
    

    
  
Fixed, thanks to jband, mccabe, and rginda.

/be
Status: ASSIGNED → RESOLVED
Closed: 25 years ago24 years ago
Resolution: --- → FIXED

    
    

    
  
This patch is an improvement for native objects, but I'm not sure it's as
general as it could be for user-defined functions.

With a little dredging, I remembered the original problem with using the
'constructor' property to implement.  (Apologies to Brendan, if this is what you
showed me on John's whiteboard.)  This objection applies to user-generated
functions, might apply to brutal-shared functions, and doesn't apply to
builtins.

The constructor property is a property of the initial, default .prototype
property of newly generated user functions.  In general, user-generated function
hierarchies are built by assinging to function .prototype properties.  This
overwrites the .constructor information, so it can't be used to test whether an
object was built by a given function.


Function A() {}
// A gets .prototype property, and .prototype.constructor === A

Function B() {}
// ditto

// Make A instances get behavior from B.prototype
A.prototype = new B // overwrites A.prototype.constructor
a = new A(); // a.__proto__ === B.prototype
a.__proto__.constructor === B // !

a instanceof A
a instanceof B

In the single-window case, these expressions are both true, by the
prototype-chasing hasInstance.  Is the first expression true in the
brutal-sharing case?  Does the question even come up, for brutally-shared
user-defined functions?

    
    

    
  
Good point, the first expression (a instanceof A) is false in the brutal sharing 
case, unless you add A.prototype.constructor = A; after A.prototype = new B.

The (a.__proto__.constructor === B) invariant that you commented with // ! has 
always been an anomaly in this kind of JS, brutal sharing or no brutal sharing. 
I mean, we just constructed a via (new A), so you'd think a's constructor was A, 
eh? [sorry]  OTOH, A.prototype was set to a (new B), and all instances of B 

I remember this coming up in the ancient days, 3.0 or so, and I advised folks 
then to set A.prototype.constructor = A after setting A.prototype = new B.  This 
is exactly what the JS engine does (js_SetClassPrototype) for natives: when you 
set constructor.prototype, you set .prototype.constructor to point back.  So, is 
this policy good enough (if documented -- help me, rginda!) to close the bug?

/be

    
    

    
  
Oops, didn't finish editing that last sentence of paragraph 2: "OTOH, 
A.prototype was set to a (new B), and all instances of B " should have read 
"OTOH, A.prototype was set to an instance of B (new B), whose constructor is 
naturally enough B."

Notice that any brutal sharer may set A.prototype.constructor = A, even though 
each sharer gets its own function-object clone for A.  Brutal sharing means that 
either all the function objects (clone-parent when brutally-shared source was 
loaded; clones for each sharing "context") have the same native function 
pointer, or they all have the same shared JSScript.  Brutal sharing thus reduces 
JS-compiled scripts to equivalence in number and shared-ness with C or C++ 
compiled native functions.

/be

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: