Closed Bug 466781 Opened 16 years ago Closed 16 years ago

TM: inconsistent (0 in d) where d is a String

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: sayrer)

References

Details

(Keywords: testcase, verified1.9.1, Whiteboard: [fixed-in-tracemonkey])

Attachments

(2 files, 4 obsolete files)

back traces for each str_resolve
4.58 KB, text/plain
Details
nits picked for checkin
3.14 KB, patch
sayrer
: review+
Details | Diff | Splinter Review 
js> for each (let d in [new String('q'), new String('q'), new String('q')]) { print('' + (0 in d)); }

true
true
false
Flags: blocking1.9.1?
Flags: blocking1.9.1? → blocking1.9.1+
Priority: -- → P1
WFM on tm.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
oops, no, it is still broken
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
Note that these are string objects, not primitive strings. This calls into HasNamedProperty.
Look at the resolve flags being passed from the third, traced property lookup.

Looks like cx->resolveFlags is not right.
InferFlags() in jsobj.cpp doesn't seem to get the right answer on trace.
The copy of js_GetTopStackFrame in jstracer.cpp references bug 462027. Does this mean we're broken for anything calling InferFlags, and objects with custom JSResolveOps in this particular case?
OK, after talking to jorendorff, I think this depends on bug 462027, so we can side exit in case there's a resolve op that re-enters. However, it seems to me that InferFlags() needn't interfere with us in this particular case, and we can get around it by setting the resolve op.
Depends on: deepbail
Attached patch set resolve flags (obsolete) — Splinter Review 
I think this will work because these functions are called only from a recorded record_JSOP_IN. 

Seems like this should be an improvement, but not a perfect fix without a way to bail if we hit a meddling resolve implementation.
Attachment #356028 - Flags: review?(brendan)
This patch is missing trace-tests!

Rob, you can make the builtin fail if anything about the situation smells fishy. (Non-native object, class has a resolve hook, whatever.) Then we'll just bail out and retry from the interpreter.

I think a lot of builtins (and more all the time) are "optimistic" about doing stuff that could examine the stack, call random native code, or reenter the interpreter. The #ifdef DEBUG_jason assertion in js_GetTopStackFrame catches those cases, and I hit it a lot. That assert is going to be turned on for everyone in bug 462027 -- brace yourselves.
now with bailing and tests
Assignee: general → sayrer
Attachment #356028 - Attachment is obsolete: true
Attachment #356087 - Flags: review?(brendan)
Attachment #356028 - Flags: review?(brendan)
Attachment #356087 - Attachment is patch: true
Attachment #356087 - Attachment mime type: application/octet-stream → text/plain
Attachment #356087 - Attachment description: bail on unknown resolve ops, set the resolve op → bail on unknown resolve ops, set the resolve flags
Attached patch consolidate some more code (obsolete) — Splinter Review 

        Attachment #356087 -
        Attachment is obsolete: true

        Attachment #356087 -
        Flags: review?(brendan)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        consolidate some more code (obsolete)
        — Splinter Review
      

    


  

        Attachment #356132 -
        Attachment is obsolete: true

    
  

        Attachment #356133 -
        Attachment is patch: true

        Attachment #356133 -
        Attachment mime type: application/octet-stream → text/plain

    
  

        Attachment #356133 -
        Flags: review?(brendan)

        Attachment #356133 -
        Flags: review?(brendan) → review+

    
    

    
  
Comment on attachment 356133 [details] [diff] [review]
consolidate some more code

>+static JSBool HasProperty(JSContext* cx, JSObject* obj, jsid id)

House style wants function name on its own line after qualifiers/type/mode.

> {
>+    // check whether we know how the resolve op will behave
>+    JSClass* clasp = OBJ_GET_CLASS(cx, obj);
>+    if (clasp->resolve != JS_ResolveStub && clasp != &js_StringClass)
>         return JSVAL_TO_BOOLEAN(JSVAL_VOID);
>+    JSAutoResolveFlags rf(cx, JSRESOLVE_QUALIFIED); 
> 

No trailing whitespace please!

Prettier to put the blank line before rf's definition, not after.

r=me with nits picked.

/be

    
    

    
  


  

        Attachment #356135 -
        Flags: review+

    
  

        Attachment #356133 -
        Attachment is obsolete: true

    
  

        Attachment #356135 -
        Attachment is patch: true

        Attachment #356135 -
        Attachment mime type: application/octet-stream → text/plain

    
  
Whiteboard: fixed-in-tracemonkey

    
    

    
  
I'm not sure this is good enough--property lookups can also call resolve hooks for other objects up the prototype chain.

    
    

    
  
(In reply to comment #16)
> I'm not sure this is good enough--property lookups can also call resolve hooks
> for other objects up the prototype chain.

You're right, this could be an issue for XPConnect and the DOM. For the core engine it shouldn't be. Separated bug needed.

/be

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/080ccddea3b5
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED

    
    

    
  
test updated in http://hg.mozilla.org/mozilla-central/rev/7eb907886ae7 
and  /cvsroot/mozilla/js/tests/js1_8_1/trace/trace-test.js,v  <-- 
trace-test.js
new revision: 1.9; previous revision: 1.8


verified 1.9.1 tracemonkey, 1.9.2.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Flags: in-litmus-
Whiteboard: fixed-in-tracemonkey → [fixed-in-tracemonkey][needs 1.9.1 landing]

    
  
Whiteboard: [fixed-in-tracemonkey][needs 1.9.1 landing] → [fixed-in-tracemonkey]

    
    

    
  
v 1.9.1
Keywords: fixed1.9.1verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: