Closed Bug 593256 Opened 14 years ago Closed 14 years ago

Bugs in dictionary-mode property table maintenance

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla2.0b7

Tracking Flags:

Tracking

Status

blocking2.0

---

final+

People

(Reporter: brendan, Assigned: brendan)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files, 9 obsolete files)

proposed fix 14 years ago Brendan Eich [:brendan] 9.67 KB, patch	jorendorff : review+	Details \| Diff \| Splinter Review
rename freeslot (the method of JSObject, the data member of JSObjectMap) to slotSpan 14 years ago Brendan Eich [:brendan] 28.01 KB, patch		Details \| Diff \| Splinter Review
refreshed proposed fix 14 years ago Brendan Eich [:brendan] 10.90 KB, patch		Details \| Diff \| Splinter Review
rename freeslot (both of them; to different names) 14 years ago Brendan Eich [:brendan] 32.41 KB, patch		Details \| Diff \| Splinter Review
rebased on tm tip and latest bug 592556 patch 14 years ago Brendan Eich [:brendan] 10.90 KB, patch		Details \| Diff \| Splinter Review
rename freeslot (both of them; to different names) 14 years ago Brendan Eich [:brendan] 31.77 KB, patch		Details \| Diff \| Splinter Review
rebased on tm tip + bug 592556 patch, plus monotonic check 14 years ago Brendan Eich [:brendan] 11.02 KB, patch		Details \| Diff \| Splinter Review
rename freeslot (both of them; to different names) 14 years ago Brendan Eich [:brendan] 32.94 KB, patch		Details \| Diff \| Splinter Review
rebased fix patch, without renamings 14 years ago Brendan Eich [:brendan] 11.02 KB, patch	jorendorff : review+	Details \| Diff \| Splinter Review
rename freeslot (both of them; to different names) 14 years ago Brendan Eich [:brendan] 32.92 KB, patch		Details \| Diff \| Splinter Review
renaming patch, rebased on top of fixed patch for 592556 14 years ago Brendan Eich [:brendan] 32.90 KB, patch	jorendorff : review+	Details \| Diff \| Splinter Review

Brendan Eich [:brendan]

Assignee

Description

•

14 years ago

Found by consistency checker I added on top of the patch for bug 592556. Patch coming soon.

/be

Brendan Eich [:brendan]

Assignee

Comment 1

•

14 years ago

Attached patch proposed fix (obsolete) — Details — Splinter Review

Plus the #ifdef DEBUG_notme (expensive, kills some tests) consistency checking, in jsscope.cpp, JSObject::checkShapeConsistency.

/be

Attachment #471744 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 2

•

14 years ago

Attached patch rename freeslot (the method of JSObject, the data member of JSObjectMap) to slotSpan (obsolete) — Details — Splinter Review

[10:43am] brendan: yeah, just about to attach a separate renaming patch, for sanity
[10:43am] jorendorff: great
[10:43am] brendan: s/freeslot/slotSpan/ almost everywhere
[10:43am] brendan: JSObject::freeSlot method vs. JSObject::freeslot member (going away, but still) -- too close
[10:44am] brendan: (moving to JSObjectMap, actually)
[10:44am] brendan: i was dreaming about better names, came up with slotSpan
[10:44am] jorendorff: hmm... Is that really better?
[10:45am] brendan: i think so, for that reason and another
[10:45am] brendan: PropertyTable::freeslot is SHAPE_INVALID_SLOT or the index of the last-freed slot in the index-threaded freelist linked among slot values
[10:45am] brendan: using PrivateUint32 encoded values
[10:45am] brendan: oh, that's two reasons
[10:46am] brendan: 1. avoid yet another name collision
[10:46am] brendan: 2. the freelist means JSObject::freeslot (or JSObjectMap::freeslot in the patch for bug 593256) is not the first free slot
[10:46am] brendan: it's the span (distance, to fencepost not last allocated) covering all live slots and some freelist-threaded free ones
[10:47am] jorendorff: that makes sense
[10:48am] brendan: so three reasons (two kinda the same but not quite)

/be

Attachment #471915 - Flags: review?(jorendorff)

Jason Orendorff [:jorendorff]

Comment 3

•

14 years ago

Comment on attachment 471744 [details] [diff] [review]
proposed fix

Needs tests. r=me with that.

Attachment #471744 - Flags: review?(jorendorff) → review+

Brendan Eich [:brendan]

Assignee

Comment 4

•

14 years ago

(In reply to comment #3)
> Comment on attachment 471744 [details] [diff] [review]
> proposed fix
> 
> Needs tests. r=me with that.

How, though? Perf-test would have to be pretty sensitive to notice the loss of a table. The existing tests do catch the bugs with CHECK_SHAPE_CONSISTENCY enabled.

Jason also mentioned on IRC the idea of keeping JSObject::checkShapeConsistency #ifdef DEBUG but conditioning it on an envar. I'll do that.

/be

Brendan Eich [:brendan]

Assignee

Comment 5

•

14 years ago

Attached patch refreshed proposed fix (obsolete) — Details — Splinter Review

Attachment #471744 - Attachment is obsolete: true

Attachment #472702 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 6

•

14 years ago

Attached patch rename freeslot (both of them; to different names) (obsolete) — Details — Splinter Review

This should be just cosmetic -- name changes only.

/be

Attachment #471915 - Attachment is obsolete: true

Attachment #472705 - Flags: review?(jorendorff)

Attachment #471915 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 7

•

14 years ago

These patches are on top of the patch for bug 592556.

/be

Brendan Eich [:brendan]

Assignee

Comment 8

•

14 years ago

Attached patch rebased on tm tip and latest bug 592556 patch (obsolete) — Details — Splinter Review

Attachment #472702 - Attachment is obsolete: true

Attachment #472925 - Flags: review?(jorendorff)

Attachment #472702 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 9

•

14 years ago

Attached patch rename freeslot (both of them; to different names) (obsolete) — Details — Splinter Review

Attachment #472705 - Attachment is obsolete: true

Attachment #472926 - Flags: review?(jorendorff)

Attachment #472705 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 10

•

14 years ago

Attached patch rebased on tm tip + bug 592556 patch, plus monotonic check (obsolete) — Details — Splinter Review

Attachment #472925 - Attachment is obsolete: true

Attachment #472929 - Flags: review?(jorendorff)

Attachment #472925 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 11

•

14 years ago

Attached patch rename freeslot (both of them; to different names) (obsolete) — Details — Splinter Review

Attachment #472926 - Attachment is obsolete: true

Attachment #472930 - Flags: review?(jorendorff)

Attachment #472926 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 12

•

14 years ago

Attached patch rebased fix patch, without renamings — Details — Splinter Review

Attachment #472929 - Attachment is obsolete: true

Attachment #473352 - Flags: review?(jorendorff)

Attachment #472929 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 13

•

14 years ago

Attached patch rename freeslot (both of them; to different names) (obsolete) — Details — Splinter Review

Attachment #472930 - Attachment is obsolete: true

Attachment #473353 - Flags: review?(jorendorff)

Attachment #472930 - Flags: review?(jorendorff)

Brendan Eich [:brendan]

Assignee

Comment 14

•

14 years ago

Attached patch renaming patch, rebased on top of fixed patch for 592556 — Details — Splinter Review

Attachment #473353 - Attachment is obsolete: true

Attachment #473579 - Flags: review?(jorendorff)

Attachment #473353 - Flags: review?(jorendorff)

Jason Orendorff [:jorendorff]

Comment 15

•

14 years ago

Comment on attachment 473352 [details] [diff] [review]
rebased fix patch, without renamings

This is almost unchanged. Just a few tweaks to the DEBUG-only code, looks like? And those look good. r=me.

Attachment #473352 - Flags: review?(jorendorff) → review+

Jason Orendorff [:jorendorff]

Comment 16

•

14 years ago

Comment on attachment 473579 [details] [diff] [review]
renaming patch, rebased on top of fixed patch for 592556

Straightforward. r=me!

Attachment #473579 - Flags: review?(jorendorff) → review+

Brendan Eich [:brendan]

Assignee

Comment 17

•

14 years ago

http://hg.mozilla.org/tracemonkey/rev/3feb012b18a3
http://hg.mozilla.org/tracemonkey/rev/65a532c7885e

/be

Whiteboard: fixed-in-tracemonkey

Brendan Eich [:brendan]

Assignee

Comment 20

•

14 years ago

Hrm, something about the testcase is not working in the browser jsreftest setting:

REFTEST TEST-UNEXPECTED-FAIL | file:///home/cltbld/talos-slave/tracemonkey_fedora_test-jsreftest/build/jsreftest/tests/jsreftest.html?test=js1_8_5/regress/regress-593256.js | Unknown file:///home/cltbld/talos-slave/tracemonkey_fedora_test-jsreftest/build/jsreftest/tests/js1_8_5/regress/regress-593256.js:7: syntax error item 1

from

http://tinderbox.mozilla.org/showlog.cgi?log=TraceMonkey/1284238792.1284239256.9704.gz&fulltext=1#err0

bclary, sayrer, anyone: advice? Please disable the test if necessary for the short run. Patches should stick.

/be

Brendan Eich [:brendan]

Assignee

Comment 21

•

14 years ago

Naturally the test passes in the shell setting. I even ran under gdb to be sure a syntax error wasn't being swallowed:

(gdb) r  -f shell.js -f js1_8_5/shell.js -f js1_8_5/regress/shell.js -f ./js1_8_5/regress/regress-593256.js
Starting program: /Users/brendaneich/Hacking/hg.mozilla.org/tracemonkey/js/src/Darwin_DBG.OBJ/js -f shell.js -f js1_8_5/shell.js -f js1_8_5/regress/shell.js -f ./js1_8_5/regress/regress-593256.js
Reading symbols for shared libraries .++++..................................................................................... done
 PASSED! don't crash

Program exited normally.

Could be some quoting or line-ending issue? How are jsreftests embedded in HTML script tags?

/be

Brendan Eich [:brendan]

Assignee

Comment 22

•

14 years ago

Aha, JSOPTION_ANONFUNFIX is set in browser but not shell. The testcase evals anonymous function expressions in expression-statement position. I'll file a bug on setting this option in the shell, but it'll require testcase changes and fuzzer adjustments.

/be

Brendan Eich [:brendan]

Assignee

Comment 23

•

14 years ago

(In reply to comment #22)
> I'll file a bug on setting this option in the shell, ....

Filed bug 595555.

/be

Robert Sayre

Updated

•

14 years ago

blocking2.0: --- → final+

ojab

Comment 24

•

14 years ago

After these changes I have build failure: https://bugzilla.mozilla.org/show_bug.cgi?id=595615

Brendan Eich [:brendan]

Assignee

Comment 25

•

14 years ago

http://hg.mozilla.org/mozilla-central/rev/3feb012b18a3
http://hg.mozilla.org/mozilla-central/rev/65a532c7885e (rename freeslot patch)
http://hg.mozilla.org/mozilla-central/rev/0b33419e048d (workaround bug 595555)

/be

Status: ASSIGNED → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Gary [:streetwolf52]

Comment 26

•

14 years ago

Please have a look at this https://bugzilla.mozilla.org/show_bug.cgi?id=595693

Brendan Eich [:brendan]

Assignee

Comment 27

•

14 years ago

(In reply to comment #26)
> Please have a look at this https://bugzilla.mozilla.org/show_bug.cgi?id=595693

Nothing to do with this bug, but indeed a regression in the Block object patch for bug 592556, fixed by the final patch in that bug (the one aimed successfully at killing a Ts regression).

/be

Alice0775 White

Updated

•

14 years ago

Depends on: 595846

Brendan Eich [:brendan]

Assignee

Updated

•

14 years ago

No longer depends on: 595846

You need to log in before you can comment on or make changes to this bug.