Closed Bug 466781 Opened 16 years ago Closed 16 years ago

TM: inconsistent (0 in d) where d is a String

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: sayrer)

References

Details

(Keywords: testcase, verified1.9.1, Whiteboard: [fixed-in-tracemonkey])

Attachments

(2 files, 4 obsolete files)

back traces for each str_resolve
4.58 KB, text/plain
Details
nits picked for checkin
3.14 KB, patch
sayrer
: review+
Details | Diff | Splinter Review
js> for each (let d in [new String('q'), new String('q'), new String('q')]) { print('' + (0 in d)); } true true false
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
WFM on tm.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
oops, no, it is still broken
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Note that these are string objects, not primitive strings. This calls into HasNamedProperty.
Look at the resolve flags being passed from the third, traced property lookup. Looks like cx->resolveFlags is not right.
InferFlags() in jsobj.cpp doesn't seem to get the right answer on trace.
The copy of js_GetTopStackFrame in jstracer.cpp references bug 462027. Does this mean we're broken for anything calling InferFlags, and objects with custom JSResolveOps in this particular case?
OK, after talking to jorendorff, I think this depends on bug 462027, so we can side exit in case there's a resolve op that re-enters. However, it seems to me that InferFlags() needn't interfere with us in this particular case, and we can get around it by setting the resolve op.
Depends on: deepbail
Attached patch set resolve flags (obsolete) — Splinter Review
I think this will work because these functions are called only from a recorded record_JSOP_IN. Seems like this should be an improvement, but not a perfect fix without a way to bail if we hit a meddling resolve implementation.
Attachment #356028 - Flags: review?(brendan)
This patch is missing trace-tests! Rob, you can make the builtin fail if anything about the situation smells fishy. (Non-native object, class has a resolve hook, whatever.) Then we'll just bail out and retry from the interpreter. I think a lot of builtins (and more all the time) are "optimistic" about doing stuff that could examine the stack, call random native code, or reenter the interpreter. The #ifdef DEBUG_jason assertion in js_GetTopStackFrame catches those cases, and I hit it a lot. That assert is going to be turned on for everyone in bug 462027 -- brace yourselves.
now with bailing and tests
Assignee: general → sayrer
Attachment #356028 - Attachment is obsolete: true
Attachment #356087 - Flags: review?(brendan)
Attachment #356028 - Flags: review?(brendan)
Attachment #356087 - Attachment is patch: true
Attachment #356087 - Attachment mime type: application/octet-stream → text/plain
Attachment #356087 - Attachment description: bail on unknown resolve ops, set the resolve op → bail on unknown resolve ops, set the resolve flags
Attached patch consolidate some more code (obsolete) — Splinter Review
Attachment #356087 - Attachment is obsolete: true
Attachment #356087 - Flags: review?(brendan)
Attached patch consolidate some more code (obsolete) — Splinter Review
Attachment #356132 - Attachment is obsolete: true
Attachment #356133 - Attachment is patch: true
Attachment #356133 - Attachment mime type: application/octet-stream → text/plain
Attachment #356133 - Flags: review?(brendan)
Attachment #356133 - Flags: review?(brendan) → review+
Comment on attachment 356133 [details] [diff] [review] consolidate some more code >+static JSBool HasProperty(JSContext* cx, JSObject* obj, jsid id) House style wants function name on its own line after qualifiers/type/mode. > { >+ // check whether we know how the resolve op will behave >+ JSClass* clasp = OBJ_GET_CLASS(cx, obj); >+ if (clasp->resolve != JS_ResolveStub && clasp != &js_StringClass) > return JSVAL_TO_BOOLEAN(JSVAL_VOID); >+ JSAutoResolveFlags rf(cx, JSRESOLVE_QUALIFIED); > No trailing whitespace please! Prettier to put the blank line before rf's definition, not after. r=me with nits picked. /be
Attachment #356135 - Flags: review+
Attachment #356133 - Attachment is obsolete: true
Attachment #356135 - Attachment is patch: true
Attachment #356135 - Attachment mime type: application/octet-stream → text/plain
Whiteboard: fixed-in-tracemonkey
I'm not sure this is good enough--property lookups can also call resolve hooks for other objects up the prototype chain.
(In reply to comment #16) > I'm not sure this is good enough--property lookups can also call resolve hooks > for other objects up the prototype chain. You're right, this could be an issue for XPConnect and the DOM. For the core engine it shouldn't be. Separated bug needed. /be
http://hg.mozilla.org/mozilla-central/rev/080ccddea3b5
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
test updated in http://hg.mozilla.org/mozilla-central/rev/7eb907886ae7 and /cvsroot/mozilla/js/tests/js1_8_1/trace/trace-test.js,v <-- trace-test.js new revision: 1.9; previous revision: 1.8 verified 1.9.1 tracemonkey, 1.9.2.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Flags: in-litmus-
Whiteboard: fixed-in-tracemonkey → [fixed-in-tracemonkey][needs 1.9.1 landing]
Whiteboard: [fixed-in-tracemonkey][needs 1.9.1 landing] → [fixed-in-tracemonkey]
v 1.9.1
Keywords: fixed1.9.1verified1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: