Last Comment Bug 690292 - JM: Different output with testcase involving E4X with and without -m, -a and -n
: JM: Different output with testcase involving E4X with and without -m, -a and -n
: testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Mac OS X
-- critical (vote)
: mozilla10
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: jsfunfuzz js-differential-test
  Show dependency treegraph
Reported: 2011-09-29 02:57 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2011-10-07 04:14 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.35 KB, patch)
2011-10-05 18:35 PDT, Brian Hackett (:bhackett)
luke: review+
Details | Diff | Splinter Review

Description User image Gary Kwong [:gkw] [:nth10sd] 2011-09-29 02:57:48 PDT
try {
    function x() {}
    print("d", Object.create))
    var d = <x></x>
} catch (e) {}
try {
eval("d = ''")
} catch (e) {}

$ ./js-dbg-64-jm-darwin testcase.js 
$ ./js-dbg-64-jm-darwin -m -a -n testcase.js 

Tested on rev 44ef245b8706, 64-bit Mac OS X 10.6 js shell.
Comment 1 User image Gary Kwong [:gkw] [:nth10sd] 2011-09-29 18:25:39 PDT
Also occurs on 32-bit Mac m-c rev dbb129f069b1.
Comment 2 User image Brian Hackett (:bhackett) 2011-10-05 18:35:05 PDT
Created attachment 565106 [details] [diff] [review]

Accesses on properties with watchpoints were being optimized, where the optimizations bypassed the watchpoint handler.  The intent here was to mark watched type properties as configured (as if they had been turned into a setter, made read-only, etc.), which inhibits optimizations on them.  This was done for properties watched on objects with non-singleton types, but when lazily generating type properties for singleton objects the watchpoints were not taken into account.
Comment 3 User image Brian Hackett (:bhackett) 2011-10-06 11:54:00 PDT
Comment 4 User image Ed Morley [:emorley] 2011-10-07 04:14:48 PDT

Note You need to log in before you can comment on or make changes to this bug.