Last Comment Bug 646599 - Constant folding should happen before deciding whether to turn obj["A"] into obj.A
: Constant folding should happen before deciding whether to turn obj["A"] into ...
Status: RESOLVED FIXED
: testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla17
Assigned To: Tom Schuster [:evilpie]
:
Mentors:
Depends on:
Blocks: jsfunfuzz
  Show dependency treegraph
 
Reported: 2011-03-30 12:54 PDT by Jesse Ruderman
Modified: 2012-07-21 14:42 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
v1 (2.86 KB, patch)
2012-07-14 04:04 PDT, Tom Schuster [:evilpie]
no flags Details | Diff | Splinter Review
v1 with tests (3.58 KB, patch)
2012-07-14 04:05 PDT, Tom Schuster [:evilpie]
jwalden+bmo: review+
Details | Diff | Splinter Review

Description Jesse Ruderman 2011-03-30 12:54:43 PDT
jsfunfuzz's round-trip checker caught this:

js> (function() { return t["a" + "b"]; })
(function () {return t["ab"];})
js> (function () {return t["ab"];})
(function () {return t.ab;})
Comment 1 Jesse Ruderman 2012-07-06 02:04:53 PDT
Another instance:

js> (function() { return t[true ? 'a' : 'b']; })
(function () {return t["a"];})
js> (function () {return t["a"];})
(function () {return t.a;})
Comment 2 Tom Schuster [:evilpie] 2012-07-14 04:04:23 PDT
Created attachment 642207 [details] [diff] [review]
v1

Just do the folding manually before we decide whether to use obj.prop or obj[prop].

Really short patch, I hope this is okay for you Jeff.
Comment 3 Tom Schuster [:evilpie] 2012-07-14 04:05:48 PDT
Created attachment 642208 [details] [diff] [review]
v1 with tests

Sorry forgot to hg add the test.
Comment 4 Jeff Walden [:Waldo] (remove +bmo to email) 2012-07-16 11:32:45 PDT
Comment on attachment 642208 [details] [diff] [review]
v1 with tests

Review of attachment 642208 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/frontend/Parser.cpp
@@ +5833,5 @@
>                  }
>              } else if (propExpr->isKind(PNK_NUMBER)) {
> +                Value number = NumberValue(propExpr->pn_dval);
> +                uint32_t dummy;
> +                if (!IsDefinitelyIndex(number, &dummy)) {

Please use (propExpr->pn_dval == ToUint32(propExpr->pn_dval)) to check for index-ness -- much better than relying on a method that sometimes gives the wrong answer and must itself be double-checked.

::: js/src/jit-test/tests/basic/testFoldPropertyAccess.js
@@ +17,5 @@
> +    }
> +]
> +
> +for (var i = 0; i < cases.length; i++) {
> +    dis(cases[i]);

Remove this.
Comment 6 Ryan VanderMeulen [:RyanVM] 2012-07-21 14:42:58 PDT
https://hg.mozilla.org/mozilla-central/rev/28711b9f49cd

Note You need to log in before you can comment on or make changes to this bug.