TM: Incorrect use of the global object's identity

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P2
normal
RESOLVED FIXED
9 years ago
9 years ago

People

(Reporter: gal, Assigned: gal)

Tracking

({fixed1.9.1})

unspecified
x86
Mac OS X
fixed1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
in-testsuite -
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

Comment hidden (empty)
(Assignee)

Updated

9 years ago
Flags: blocking1.9.1?
Priority: -- → P2
(Assignee)

Comment 1

9 years ago
Created attachment 358314 [details] [diff] [review]
patch
Assignee: general → gal
Attachment #358314 - Flags: review?(brendan)
Attachment #358314 - Flags: review?(brendan) → review+
(Assignee)

Comment 2

9 years ago
Trees are only executed if the shape of the global object has not changed since recording time. We do not actually guarantee that the global object's identity is unchanged. We only guarantee the shape still matches. In the actual trace code we used the global object's identity to decide whether it aliases an object being used for direct property access. This might be wrong if we get a different global object with the same shape. Instead, this patch passes in the current global object's identity via InterpState. No measurable perf overhead. The patch also fixes an incorrect use of cx->globalObject in the oracle hashing and excludes the global object's identity from the hash (for the argument made above, we only care about the shape).
(Assignee)

Comment 3

9 years ago
TM: http://hg.mozilla.org/tracemonkey/rev/29beb0928cfa
Whiteboard: fixed-in-tracemonkey

Comment 4

9 years ago
http://hg.mozilla.org/mozilla-central/rev/29beb0928cfa
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: --- → FIXED

Updated

9 years ago
Flags: in-testsuite-
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.