Closed Bug 457920 Opened 16 years ago Closed 16 years ago

regexp-dna.js and generality want JSOP_GETELEM(dense array, "0")

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1

People

(Reporter: brendan, Assigned: brendan)

Details

(Keywords: verified1.9.1)

Attachments

(2 files)

proposed fix
17.33 KB, patch
gal
: review+
mrbkap
: review+
Details | Diff | Splinter Review
wdiff
13.80 KB, patch
Details | Diff | Splinter Review 
And so on -- for-in loops produce string property names, not uints, but array_getProperty can cope. So must TM.

/be
Attached patch proposed fixSplinter Review 
This patch guards on holes in dense arrays. We can't see through them, except in the general case of obj[str] = foo where obj is a dense array -- in that case the Array_dense_setelem built-in, like the interpreter's JSOP_SETELEM case, will test the new runtime-wide anyArrayProtoHasElement flag and cope.

On the up side, this uses LIR_ult to combine two guards into one under guardDenseArrayIndex.

/be
Attachment #341340 - Flags: review?(gal)
Correctness issues discovered and patched here, needed for b2.

/be
Flags: blocking1.9.1?
Priority: -- → P1
Attachment #341340 - Flags: review?(mrbkap)
Comment on attachment 341340 [details] [diff] [review]
proposed fix

Need a 2nd pair of eyes for the interpreter side of things. Blake?
Attachment #341340 - Flags: review?(mrbkap) → review+
Attached patch wdiffSplinter Review 

    
    

    
  
Comment on attachment 341340 [details] [diff] [review]
proposed fix

I am unsure about this part: 

-    guard(false, lir->ins_eq0(dslots_ins), MISMATCH_EXIT);

Maybe you could add a code comment why thats not necessary.

        Attachment #341340 -
        Flags: review?(gal) → review+

    
    

    
  
Commented and committed, but I didn't check for orange first! Something committed before 21:02:51 seems to have turned the TraceMonkey Windows box orange.

http://hg.mozilla.org/tracemonkey/rev/98d37f459fef

/be

    
    

    
  
Orange looks like sync xhr test flapping, went green again. Hope it's gone when we update from m-c next.

/be

    
    

    
  
Fixed on m-c:

http://hg.mozilla.org/mozilla-central/rev/98d37f459fef

/be
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite-
Flags: in-litmus-

    
  
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1

    
    

    
  
Seeing as there hasn't been any discussions about this bug for 5 months, I'm
guessing there aren't any residual issues. I'm moving this to verified as a
result. If anyone has any qualms, feel free to bring them up.
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: