Closed Bug 602131 Opened 15 years ago Closed 15 years ago

Trace "in" for an array RHS

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla2.0b8

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file, 4 obsolete files)

Merged to
6.41 KB, patch
sayrer
: approval2.0+
Details | Diff | Splinter Review
Arrays have a lookupProperty op, so trying to use "in" when the RHS is an array will trace and then OOM-exit (of all things). We should just make this work (e.g. by hardcoding knowledge about the fact that the lookupProperty on Array is "safe" (which I bet it is) or having a way for class/object ops to indicate that or _something_. Need this for sanely self-hosting array ops (or need another traceable way to detect holes).
Blocks: 602132
Attachment #481527 - Flags: review?(jorendorff)
Attachment #481528 - Flags: review?(jorendorff)
Attachment #481529 - Flags: review?(jorendorff)
Re your third patch: makeNumberInt32() has just changed its prototype (bug 601009). You now have to check for whether it aborts.
Also, w.r.t. patches 1 and 2: the clean-ups are nice but will conflict with bug 602703, which will do a much bigger clean-up. You can keep them there if you like but it'll probably be easier if you avoid much more stuff like that for the moment.
Comment on attachment 481527 [details] [diff] [review] part 1. Factor out the getting of capacity for dense arrays. I say njn is man enough to rebase across this.
Attachment #481527 - Flags: review?(jorendorff) → review+
Comment on attachment 481528 [details] [diff] [review] part 2. Factor out the getting of an array element's address for dense arrays. Looks good, just some comment nits: > } > > > // Get the address of the element. >- LIns *dslots_ins = >- addName(lir->insLoad(LIR_ldp, obj_ins, offsetof(JSObject, dslots), ACCSET_OTHER), "dslots"); >- JS_ASSERT(sizeof(Value) == 8); // The |3| in the following statement requires this. >- LIns *addr_ins = lir->ins2(LIR_addp, dslots_ins, >- lir->ins2ImmI(LIR_lshp, lir->insUI2P(idx_ins), 3)); >+ LIns *addr_ins = dense_array_element_address(obj_ins, idx_ins); The comment doesn't seem necessary anymore. Maybe the one line of code here can slide into the next paragraph of code. While you're in here, would you please delete the extra blank line before "// Get the address of the element."? > void set_array_fslot(nanojit::LIns *obj_ins, unsigned slot, uint32 val); >+ /* array_obj_ins must be a dense array. */ > nanojit::LIns* dense_array_capacity(nanojit::LIns *array_obj_ins); >+ /** >+ * array_obj_ins must be a dense array; idx_ins must be an index such that >+ * 0 <= index < capacity. >+ * >+ * The return value is the address of the |index| element (the >+ * address of the Value, in other words) in the array. >+ */ >+ nanojit::LIns* dense_array_element_address(nanojit::LIns *array_obj_ins, >+ nanojit::LIns *idx_ins); > No /** in JS code. A simple /* will do. Also please add a blank line before each of these comments.
Attachment #481528 - Flags: review?(jorendorff) → review+
Comment on attachment 481529 [details] [diff] [review] part 3. Make the 'in' operator trace usefully when its right-hand side is a dense array. I think you have to: CHECK_STATUS(guardPrototypeHasNoIndexedProperties(obj, obj_ins, snapshot(MISMATCH_EXIT))); r=me with that and some trace-tests.
Attachment #481529 - Flags: review?(jorendorff) → review+
> makeNumberInt32() has just changed its prototype Thanks for the heads-up! Updated to that; yay more copy/paste. ;) > it'll probably be easier if you avoid much more stuff like that Will do. I just really didn't want to add a third copy of the complicated code... > The comment doesn't seem necessary anymore. Fixed. I pulled the line of code up, not down, since we need addr_ins for more than just dealing with holes. > No /** in JS code. A simple /* will do. Also please add a blank line before > each of these comments. Done. > CHECK_STATUS(guardPrototypeHasNoIndexedProperties Good catch! Done. Added some tests of basic functionality, and a test for the issue from comment 8.
Assignee: general → bzbarsky
Status: NEW → ASSIGNED
Attachment #481856 - Flags: approval2.0?
Priority: -- → P1
Whiteboard: [need approval]
I had to do some nontrivial merging after bug 584917. Jason, do you want to re-review the result?
Comment on attachment 481527 [details] [diff] [review] part 1. Factor out the getting of capacity for dense arrays. This is obsolete now that bug 602703 landed.
Attachment #481527 - Attachment is obsolete: true
Comment on attachment 481528 [details] [diff] [review] part 2. Factor out the getting of an array element's address for dense arrays. So is this.
Attachment #481528 - Attachment is obsolete: true
Attachment #481529 - Attachment is obsolete: true
Attached patch Merged toSplinter Review
Attachment #487857 - Flags: approval2.0?
Attachment #481856 - Attachment is obsolete: true
Attachment #481856 - Flags: approval2.0?
Sayrer, again, would be good to know whether I need to worry about this getting approval sometime....
Pushed http://hg.mozilla.org/tracemonkey/rev/b87a31d4c071
Whiteboard: [need approval] → fixed-in-tracemonkey
Attachment #487857 - Flags: approval2.0? → approval2.0+
http://hg.mozilla.org/mozilla-central/rev/b87a31d4c071
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla2.0b8
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: