Closed Bug 504590 Opened 15 years ago Closed 15 years ago

javascript closures strange behavior

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.1 --- ?

People

(Reporter: salomvary.marton, Assigned: mrbkap)

References

Details

(Keywords: regression, testcase)

Attachments

(2 files)

test code
472 bytes, text/html
Details
Proposed fix
1.32 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.10) Gecko/2009042513 Ubuntu/8.04 (hardy) Firefox/3.0.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1) Gecko/20090624 Firefox/3.5

Under certain circumstances (seems to be related to closures), a javascript function, which should return a _new instance_ of an anonymous function returns always the _same_ function object.

Reproducible: Always

Steps to Reproduce:
1. run the test code 
Actual Results:  
The two objects are equal. (Displays: "result: true,true")

Expected Results:  
The two objects shouldn't be equal. (Should display: "result: false, false")

Versions tested: Firefox 3.5 (Linux, Win), and nightly build on Linux (Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2a1pre) Gecko/20090716 Minefield/3.6a1pre)

Test code (html):
<html>
	<head>
	</head>
	<body id="body">
		<script>
			function create() {
				return function() { 
					var foo;
					if (false) {
						return function() {
							return foo;
						};
					} 
					foo = Object;
					return false;
				};
			}

			var a = create();
			var b = create();
			document.getElementById('body').innerHTML = 'result: ' + (a == b) + ',' + (a === b) + '<br/> expected: false, false';
		</script>
	</body>
</html>
Attached file test code 

    
  
Version: unspecified → 3.5 Branch

    
    

    
  
Testcase confirmed on Windows Vista. Regression range: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=d056669074c7&tochange=57213af4a45d
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: General → JavaScript Engine
Ever confirmed: true
Keywords: regression, 
          
            testcase
Product: Firefox → Core
QA Contact: general → general
Hardware: x86 → All
Version: 3.5 Branch → Trunk

    
    

    
  
This is fallout from upvar2. I think we should fix it on the 1.9.1 branch. But it doesn't block.
Blocks: upvar2

          status1.9.1:
          --- → needstriage

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fixSplinter Review
      

    


  
The closure forces the inner function to be HEAVYWEIGHT (since it's very hard for the compiler to clear the flag) and we end up falling into the non-null-closure case of JSOP_LAMBDA. That branch avoids cloning if the compiler saw the right parent (which it does in this case) but that, in effect, creates a joined function object, whose semantics we don't quite support yet (see bug 471214).
Assignee: general → mrbkap
Status: NEW → ASSIGNED

        Attachment #388970 -
        Flags: review?(brendan)

    
    

    
  
Comment on attachment 388970 [details] [diff] [review]
Proposed fix

Any perf effects of note?

Please use more standard (cough, we have two leading forms) FIXME style, preferably FIXME: bug NNNNNN.

/be

        Attachment #388970 -
        Flags: review?(brendan) → review+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/66e5fb8783ef
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: