Closed Bug 497015 Opened 15 years ago Closed 15 years ago

TM: Wrong value with upvars referring to top-level let variables

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
1.9.1 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(Keywords: fixed1.9.1, regression, testcase, Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

Patch
1.96 KB, patch
gal
: review+
Details | Diff | Splinter Review 
for each(let a in ['', 8888, 8888, /x/]) {
    '';
    for each(e in ['', false, '']) {
        (function(e) {
            for each(let c in ['']) {
                print(a);
            }
        })();
        for (let aa = 0; aa < 1; ++aa) {
            a = aa;
        }
    }
}

Note the extra "8888" in JIT'ed output. Tested on 191 revision 2d0f0efc8f14. Patch in bug 496922 comment 2 does not fix this.

===

$ ./js-dbg-moz191-intelmac 
js> for each(let a in ['', 8888, 8888, /x/]) {
    '';
    for each(e in ['', false, '']) {
        (function(e) {
            for each(let c in ['']) {
                print(a);
            }
        })();
        for (let aa = 0; aa < 1; ++aa) {
            a = aa;
        }
    }
}

0
0
8888
0
0
8888
0
0
/x/
0
0
0
js> ^C
$ ./js-dbg-moz191-intelmac -j
js> for each(let a in ['', 8888, 8888, /x/]) {
    '';
    for each(e in ['', false, '']) {
        (function(e) {
            for each(let c in ['']) {
                print(a);
            }
        })();
        for (let aa = 0; aa < 1; ++aa) {
            a = aa;
        }
    }
}

0
0
8888
0
0
8888
0
8888
/x/
0
0
0
js>
Flags: blocking1.9.1?
This appears to be related to setting upvars defined with |let|. The function js_GetUpvarOnTrace is accessing the correct entry on the trace stack, but that entry has the wrong value--it has the value before the assignment |a=aa|.
Flags: blocking1.9.1? → blocking1.9.1+
Assignee: general → dmandelin
Since this is a blocker, I should add that it can be quick-fixed by aborting tracing of a JSOP_GETUPVAR when the target frame (containing uvpar definition) has no |fun| member inside TraceRecorder::upvar(). For now, I'll try to fix it so it doesn't have to abort.
Attached patch PatchSplinter Review 
The |!fp->fun| case of upvar access was not being handled correctly. Specifically, if the argument to JSOP_GETUPVAR is |n|, then when reading from the interpreter, we should read from position |n+fp->fun->nfixed|. (This is defined by js_GetUpVar.) But if we are reading from the trace native stack, the callee, this, args, and locals are not pushed to the native stack, so we should read from position |n| of the slots area of the stack frame. I didn't realize earlier that the addressing needed to be different for the two cases.

The test case doesn't fail inside the regression test suite, so I can't really check in a test case. I have a personal directory of standalone files that I use as personal upvar regression tests, and I have added it there.
Attachment #382404 - Flags: review?(gal)
Attachment #382404 - Flags: review?(gal) → review+
Pushed to TM as bf1e2a11e031.
Whiteboard: fixed-in-tracemonkey
Summary: TM: Different values with testcase containing for...in, print, function → TM: Wrong value with upvars referring to top-level let variables
http://hg.mozilla.org/mozilla-central/rev/bf1e2a11e031
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Flags: in-testsuite?
Bug in removed tracer code, setting in-testsuite- flag.
Flags: in-testsuite? → in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: