Closed
Bug 510642
Opened 15 years ago
Closed 15 years ago
TM: Traced JSOP_BINDNAME is totally busted
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.3a1
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
status1.9.1 | --- | ? |
People
(Reporter: gkw, Assigned: dmandelin)
References
Details
(5 keywords, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files, 5 obsolete files)
4.18 KB,
patch
|
Details | Diff | Splinter Review | |
15.31 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
(function () { var x; (eval("\ (function () {\ for (y in [0, 0]) let(a)((function () {\ for (w in [0, 0])\ x = 0\ })());\ with({}) {}\ })\ "))() })() crashes js opt shell from TM branch (31571:fc0bfd8bf9e9) with -j at js_CallIteratorNext near null and asserts dbg shell at Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp:1000 autoBisect shows this is probably related to bug 495329 : The first bad revision is: changeset: 30697:60a9ef4e1a3d user: David Mandelin date: Mon Jul 27 18:13:53 2009 -0700 summary: Bug 495329: Trace JSOP_BINDNAME/JSOP_SETNAME for closures, r=brendan
Flags: blocking1.9.2?
Assignee | ||
Comment 1•15 years ago
|
||
Here is an easier-to-understand test case of the same bug (it prints the wrong value instead of asserting): function f() { var x = 11; function g() { var y = 12; function h() { for (var i = 0; i < 5; ++i) { y = 4; x = i * 2; } } h(); print('y = ' + y); } g(); print('x = ' + x); } f(); The problem is that the setname tracing code is missing the part that navigates up N frames to set the right variable--instead we are always setting things inside the immediately enclosing function g(). Logically, it seems like the traced code for bindname should do this.
Assignee | ||
Comment 2•15 years ago
|
||
This also fixes bug 510437.
Assignee | ||
Comment 3•15 years ago
|
||
Comment on attachment 394938 [details] [diff] [review] Patch I think it might crash a jstest, so no need to review before I check that.
Attachment #394938 -
Flags: review?(jim)
Comment 4•15 years ago
|
||
For what it's worth, this patch looks like the right thing to me. I explain more in bug 510437 comment 9 and its referents.
Comment 5•15 years ago
|
||
Actually, the patch aborts when js_FindIdentifierBase chooses the global object; this shouldn't be necessary. Test case: var x = 1; function f() { function g() { var t=0; for (var i=0; i<3; i++) x = i; }; g(); eval("var x = 2"); g(); print("x = " + uneval(x)); } f(); print ("x = " + x); aborts with: abort: 11616: Can only search through call objects for JSOP_BINDNAME because obj is the global object.
Assignee | ||
Comment 6•15 years ago
|
||
Good catch, although that particular example doesn't trace anyway, because of the same "special setter" issue. I did update the patch so that it does trace jsop_bindname when the search reaches the global.
Assignee | ||
Comment 7•15 years ago
|
||
Attachment #394938 -
Attachment is obsolete: true
Attachment #395125 -
Flags: review?(jim)
Comment 8•15 years ago
|
||
I think this is a test of the "foreshadowing" issue we discussed on IRC. Before tracing begins, this creates two closures whose scopes have the same shape, but different-shaped enclosing scopes along the scope chain. The test dutifully fails, but I'm not totally convinced. It might not be testing what I think it's testing. var d = 1; function heavy(x) { eval(x); return function lite() { var s = 0; for (var i = 0; i < 9; i++) s += d; return s; }; } var f1 = heavy("1"); var f2 = heavy("var d = 100;"); assertEq(f1(), 9); assertEq(f2(), 900);
Assignee | ||
Updated•15 years ago
|
Summary: TM: Crash [@ js_CallIteratorNext] or "Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp" → TM: Traced JSOP_BINDNAME is totally busted
Assignee | ||
Comment 11•15 years ago
|
||
This collects all the test cases for the bugs that got folded into this one, as well as from IRC, etc. The spec is roughly to make these tests pass.
Attachment #395125 -
Attachment is obsolete: true
Attachment #395125 -
Flags: review?(jim)
Assignee | ||
Comment 12•15 years ago
|
||
Missed a test last time.
Attachment #395160 -
Attachment is obsolete: true
Assignee | ||
Comment 13•15 years ago
|
||
The test case in comment 8 does in fact fail, but it's not part of this bug; it doesn't use SETNAME at all. I think it's a related bug in JSOP_NAME.
Assignee | ||
Comment 14•15 years ago
|
||
This is going to run on try overnight. It passes all the shell tests.
Attachment #395216 -
Flags: review?(jim)
Assignee | ||
Comment 15•15 years ago
|
||
Patch 3 passed try server last night.
Comment 16•15 years ago
|
||
Comment on attachment 395216 [details] [diff] [review] Patch 3 Could we drop the whitespace changes?
Assignee | ||
Comment 17•15 years ago
|
||
Attachment #395216 -
Attachment is obsolete: true
Attachment #395463 -
Flags: review?(jim)
Attachment #395216 -
Flags: review?(jim)
Assignee | ||
Comment 18•15 years ago
|
||
Please review promptly--I have 2 other patches pending that go on top of this, and these patches also fix a couple of other outstanding bugs.
Attachment #395463 -
Attachment is obsolete: true
Attachment #395877 -
Flags: review?(jim)
Attachment #395463 -
Flags: review?(jim)
Updated•15 years ago
|
Attachment #395877 -
Attachment is patch: true
Attachment #395877 -
Attachment mime type: application/octet-stream → text/plain
Comment 19•15 years ago
|
||
Almost done looking this over; should be done tomorrow morning. Nit for today: the comments atop traverseScopeChain should mention obj_ins and obj2_ins by name, and explain what they are.
Comment 20•15 years ago
|
||
Comment on attachment 395877 [details] [diff] [review] Patch 4 (patch 3 rebased to tip) Woot!
Attachment #395877 -
Flags: review?(jim) → review+
Assignee | ||
Comment 21•15 years ago
|
||
Pushed to TM as 080548cb428d.
Assignee | ||
Updated•15 years ago
|
Whiteboard: fixed-in-tracemonkey
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Comment 23•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/080548cb428d
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Priority: -- → P1
Comment 24•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/e12d937a97ae
status1.9.2:
--- → beta1-fixed
Comment 25•15 years ago
|
||
js/src/trace-test/tests/basic/bug510437-2.js js/src/trace-test/tests/basic/bug510437.js js/src/trace-test/tests/basic/bug511214.js js/src/trace-test/tests/basic/setCall.js js/src/trace-test/tests/basic/setCallEvalMiddle.js js/src/trace-test/tests/basic/setCallEvalMiddle2.js js/src/trace-test/tests/basic/setCallGlobal.js
Flags: in-testsuite+
Comment 27•15 years ago
|
||
Bug 513038 has been duped against this bug. The crashes reported there affects 1.9.1. There are a couple of DeepBail crashes out there. Take as example bp-ad84b5fa-7463-4f44-8a26-784fe2091120. Considering for 1.9.1?
status1.9.1:
--- → ?
Target Milestone: --- → mozilla1.9.3a1
You need to log in
before you can comment on or make changes to this bug.
Description
•