Closed
Bug 625157
Opened 14 years ago
Closed 14 years ago
TM and interp disagree on function equality for null-closure
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: jandem, Assigned: dvander)
Details
(Whiteboard: [hardblocker][fixed-in-tracemonkey])
Attachments
(2 files, 1 obsolete file)
345 bytes,
application/x-javascript
|
Details | |
1.85 KB,
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
The attached test case prints 'PASS' with interpreter/-m, but prints 'FAIL' with -j. It looks like TM does not create a new function object for a function expression?
Updated•14 years ago
|
blocking2.0: --- → ?
Updated•14 years ago
|
blocking2.0: ? → betaN+
Whiteboard: hardblocker
Updated•14 years ago
|
Assignee: general → dmandelin
Updated•14 years ago
|
Assignee: dmandelin → dvander
Assignee | ||
Comment 1•14 years ago
|
||
Here the interpreter and tracer are taking different paths in JSOP_LAMBDA. The lambda is a null closure. The interpreter decides to clone because (funobj->getParent() != fp->scopeChain()).
Meanwhile, the tracer decides that it should *not* clone because (funobj->getParent() == globalObj).
Comment 2•14 years ago
|
||
Is one behavior or the other "correct"?
Summary: TM: different output for test case involving function equality → TM and interp disagree on function equality for null-closure
Comment 3•14 years ago
|
||
Yes. The correct behavior is to print "PASS". Per ES5 spec, each function expression creates a new object. Under the hood we actually don't do that in some cases as an optimization, and in this case that's leaking out into script.
dvander, any idea why TM is doing the test it does?
Comment 4•14 years ago
|
||
(In reply to comment #1)
> Here the interpreter and tracer are taking different paths in JSOP_LAMBDA. The
> lambda is a null closure. The interpreter decides to clone because
> (funobj->getParent() != fp->scopeChain()).
>
> Meanwhile, the tracer decides that it should *not* clone because
> (funobj->getParent() == globalObj).
Old bug. The tracer used to be able to assume that only the global object was on the scope chain.
/be
Assignee | ||
Comment 5•14 years ago
|
||
It looks like the guard in question came in with bug 495331. I have no idea why it introduced that test, but it makes sense given that the compiler can give null closures weird scope chains.
This patch just makes the tracer match the interpreter, by effectively only avoiding cloning if both fp->scopeChain() and fun->parent are globalObj.
Assignee | ||
Updated•14 years ago
|
Attachment #505383 -
Flags: review?(brendan)
Comment 6•14 years ago
|
||
Comment on attachment 505383 [details] [diff] [review]
fix?
>diff --git a/js/src/jstracer.cpp b/js/src/jstracer.cpp
>--- a/js/src/jstracer.cpp
>+++ b/js/src/jstracer.cpp
>@@ -15426,31 +15426,31 @@ TraceRecorder::getFullIndex(ptrdiff_t pc
> }
>
> JS_REQUIRES_STACK AbortableRecordingStatus
> TraceRecorder::record_JSOP_LAMBDA()
> {
> JSFunction* fun;
> fun = cx->fp()->script()->getFunction(getFullIndex());
>
>+ if (FUN_CLOSURE(fun) && FUN_OBJECT(fun)->getParent() != globalObj)
>+ RETURN_STOP_A("Null closure function object parent must be global object");
FUN_NULL_CLOSURE(fun), right? Need test too.
/be
Assignee | ||
Comment 7•14 years ago
|
||
Sorry about that mess.
Attachment #505383 -
Attachment is obsolete: true
Attachment #506628 -
Flags: review?(brendan)
Attachment #505383 -
Flags: review?(brendan)
Comment 8•14 years ago
|
||
Comment on attachment 506628 [details] [diff] [review]
fix
I'm jazzed to have a test, hate to quibble, but consistently crunched var i=0; in for loops, or relaxed style with spaces around < too, would be just that much prettier. Thanks,
/be
Attachment #506628 -
Flags: review?(brendan) → review+
Assignee | ||
Comment 9•14 years ago
|
||
blocking2.0: betaN+ → ---
Whiteboard: hardblocker → [hardblocker][fixed-in-tracemonkey]
Assignee | ||
Updated•14 years ago
|
Status: NEW → ASSIGNED
Updated•14 years ago
|
blocking2.0: --- → betaN+
Comment 10•14 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/6962ba9824d7
Updated•14 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•