Closed Bug 510642 Opened 15 years ago Closed 15 years ago

TM: Traced JSOP_BINDNAME is totally busted

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.3a1
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- ?

People

(Reporter: gkw, Assigned: dmandelin)

References

Details

(5 keywords, Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 5 obsolete files)

Test cases
4.18 KB, patch
Details | Diff | Splinter Review
Patch 4 (patch 3 rebased to tip)
15.31 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
(function () {
    var x;
    (eval("\
    (function () {\
        for (y in [0, 0]) let(a)((function () {\
            for (w in [0, 0])\
                x = 0\
        })());\
        with({}) {}\
    })\
    "))()
})()

crashes js opt shell from TM branch (31571:fc0bfd8bf9e9) with -j at js_CallIteratorNext near null and asserts dbg shell at Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp:1000

autoBisect shows this is probably related to bug 495329 :

The first bad revision is:
changeset:   30697:60a9ef4e1a3d
user:        David Mandelin
date:        Mon Jul 27 18:13:53 2009 -0700
summary:     Bug 495329: Trace JSOP_BINDNAME/JSOP_SETNAME for closures, r=brendan
Flags: blocking1.9.2?
Here is an easier-to-understand test case of the same bug (it prints the wrong value instead of asserting):

function f() {
  var x = 11;

  function g() {
    var y = 12;

    function h() {
      for (var i = 0; i < 5; ++i) {
	y = 4;
	x = i * 2;
      }
    }
    h();

    print('y = ' + y);
  }
  g();

  print('x = ' + x);
} 

f();

The problem is that the setname tracing code is missing the part that navigates up N frames to set the right variable--instead we are always setting things inside the immediately enclosing function g(). Logically, it seems like the traced code for bindname should do this.
Attached patch Patch (obsolete) — Splinter Review 
This also fixes bug 510437.
Assignee: general → dmandelin
Status: NEW → ASSIGNED
Attachment #394938 - Flags: review?(jim)
Comment on attachment 394938 [details] [diff] [review]
Patch

I think it might crash a jstest, so no need to review before I check that.
Attachment #394938 - Flags: review?(jim)
For what it's worth, this patch looks like the right thing to me.  I explain more in bug 510437 comment 9 and its referents.
Blocks: 505591
Actually, the patch aborts when js_FindIdentifierBase chooses the global object; this shouldn't be necessary.  Test case:

var x = 1;
function f() {
  function g() { 
    var t=0;
    for (var i=0; i<3; i++)
      x = i;
  };
  g();
  eval("var x = 2");
  g();
  print("x = " + uneval(x));
}
f();
print ("x = " + x);

aborts with:

abort: 11616: Can only search through call objects for JSOP_BINDNAME

because obj is the global object.
Good catch, although that particular example doesn't trace anyway, because of the same "special setter" issue. I did update the patch so that it does trace jsop_bindname when the search reaches the global.
Attached patch Patch (obsolete) — Splinter Review 

        Attachment #394938 -
        Attachment is obsolete: true

        Attachment #395125 -
        Flags: review?(jim)

    
    

    
  
I think this is a test of the "foreshadowing" issue we discussed on IRC. Before tracing begins, this creates two closures whose scopes have the same shape, but different-shaped enclosing scopes along the scope chain.

The test dutifully fails, but I'm not totally convinced. It might not be testing what I think it's testing.

var d = 1;
function heavy(x) {
    eval(x);
    return function lite() {
        var s = 0;
        for (var i = 0; i < 9; i++)
            s += d;
        return s;
    };
}

var f1 = heavy("1");
var f2 = heavy("var d = 100;");
assertEq(f1(), 9);
assertEq(f2(), 900);

    
  
Summary: TM: Crash [@ js_CallIteratorNext] or "Assertion failure: i < fun->u.i.nvars, at ../jsfun.cpp" → TM: Traced JSOP_BINDNAME is totally busted

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Test cases (obsolete)
        — Splinter Review
      

    


  
This collects all the test cases for the bugs that got folded into this one, as well as from IRC, etc. The spec is roughly to make these tests pass.

        Attachment #395125 -
        Attachment is obsolete: true

        Attachment #395125 -
        Flags: review?(jim)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Test casesSplinter Review
      

    


  
Missed a test last time.

        Attachment #395160 -
        Attachment is obsolete: true

    
    

    
  
The test case in comment 8 does in fact fail, but it's not part of this bug; it doesn't use SETNAME at all. I think it's a related bug in JSOP_NAME.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch 3 (obsolete)
        — Splinter Review
      

    


  
This is going to run on try overnight. It passes all the shell tests.

        Attachment #395216 -
        Flags: review?(jim)

    
    

    
  
Patch 3 passed try server last night.

    
    

    
  
Comment on attachment 395216 [details] [diff] [review]
Patch 3

Could we drop the whitespace changes?

    
    

    
  


  

        Attachment #395216 -
        Attachment is obsolete: true

        Attachment #395463 -
        Flags: review?(jim)

        Attachment #395216 -
        Flags: review?(jim)

    
    

    
  


  
Please review promptly--I have 2 other patches pending that go on top of this, and these patches also fix a couple of other outstanding bugs.

        Attachment #395463 -
        Attachment is obsolete: true

        Attachment #395877 -
        Flags: review?(jim)

        Attachment #395463 -
        Flags: review?(jim)

    
  

        Attachment #395877 -
        Attachment is patch: true

        Attachment #395877 -
        Attachment mime type: application/octet-stream → text/plain

    
    

    
  
Almost done looking this over; should be done tomorrow morning.  Nit for today: the comments atop traverseScopeChain should mention obj_ins and obj2_ins by name, and explain what they are.

    
    

    
  
Comment on attachment 395877 [details] [diff] [review]
Patch 4 (patch 3 rebased to tip)

Woot!

        Attachment #395877 -
        Flags: review?(jim) → review+

    
    

    
  
Pushed to TM as 080548cb428d.

    
  
Whiteboard: fixed-in-tracemonkey

    
  
Flags: blocking1.9.2? → blocking1.9.2+

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/080548cb428d
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
  
Priority: -- → P1

    
    

    
  
js/src/trace-test/tests/basic/bug510437-2.js
js/src/trace-test/tests/basic/bug510437.js
js/src/trace-test/tests/basic/bug511214.js
js/src/trace-test/tests/basic/setCall.js
js/src/trace-test/tests/basic/setCallEvalMiddle.js
js/src/trace-test/tests/basic/setCallEvalMiddle2.js
js/src/trace-test/tests/basic/setCallGlobal.js
Flags: in-testsuite+

    
    

    
  
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2

    
    

    
  
Bug 513038 has been duped against this bug. The crashes reported there affects 1.9.1. There are a couple of DeepBail crashes out there. Take as example bp-ad84b5fa-7463-4f44-8a26-784fe2091120. Considering for 1.9.1?

          status1.9.1:
          --- → ?
Target Milestone: --- → mozilla1.9.3a1
Depends on: 567580

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: