Closed
Bug 417981
Opened 17 years ago
Closed 17 years ago
PROPERTY_CACHE_TEST called with non-native objects
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9beta4
People
(Reporter: shaver, Assigned: brendan)
References
Details
Attachments
(2 files)
|
10.27 KB,
patch
|
shaver
:
review+
|
Details | Diff | Splinter Review |
|
7.83 KB,
patch
|
Details | Diff | Splinter Review |
JSOP_CALLPROP calls PROPERTY_CACHE_TEST without verifying that the object in question is native, and with the arrays patch in bug 322889 the object often is not.
JSOP_NAME, JSOP_BINDNAME, and JSOP_CALLNAME do the same; if we're sure that fp->scopeChain can only be a native object then we should assert it, otherwise they need to defend as well.
(JSOP_SET{NAME,PROP} defend by checking ops->setProperty vs js_SetProperty before the open-coded "JS_PROPERTY_CACHE_TEST". JSOP_GETPROP and JSOP_GETPROPX check getProperty instead.)
The semantics of PROPERTY_CACHE_TEST don't seem to permit an easy internal check, so I guess we'll need to add such a test to each of the callers.
|
Assignee | |
Comment 1•17 years ago
|
||
Yes, callers must test. My bad -- but hmm, wouldn't we want array.method() to win from property cache (esp. the polymorphic L1 fast hit -- "pchit" -- case)? Should Array.prototype be a slow array (i.e., native)?
/be
Assignee: general → brendan
Flags: blocking1.9+
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9beta4
|
Reporter | |
Comment 2•17 years ago
|
||
Happily, Array.prototype is always a slow array, because the non-index names of the methods force it to be.
|
|
Assignee | |
Updated•17 years ago
|
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 3•17 years ago
|
||
diff -w version of same next.
/be
Attachment #303960 -
Flags: review?(shaver)
|
|
Assignee | |
Comment 4•17 years ago
|
||
|
|
Reporter | |
Comment 5•17 years ago
|
||
Looks OK to me, testing it out now. I don't see that this will cause us to get propcache love for array methods, but that sounds like prime follow-on fodder to me
|
|
Reporter | |
Comment 6•17 years ago
|
||
Comment on attachment 303960 [details] [diff] [review]
native guards for P_C_T, plus more efficient else clauses
Tests out well too, r=shaver.
Attachment #303960 -
Flags: review?(shaver) → review+
|
|
Reporter | |
Comment 7•17 years ago
|
||
Filed bug 418239 on not hitting the propcache for native prototypes of non-native objects.
No longer blocks: 418239
|
|
Assignee | |
Comment 8•17 years ago
|
||
Fixed:
js/src/jsinterp.c 3.431
js/src/jsinterp.h 3.75
Thanks for the followup bug, I'll take that now.
/be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Updated•17 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•