Closed Bug 698101 Opened 13 years ago Closed 13 years ago

TI: Function cloning messes up inline allocation path

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 706110

People

(Reporter: billm, Unassigned)

Details

Test case (run in shell with -m -n -a; works with other options):

function testLambdaCtor() {
    var q;
    for (var x = 0; x < 2; ++x) {
        var f = function(){};
	if (x == 1) gc();
        q = new f;
    }
    return q.__proto__ === f.prototype;
}
assertEq(testLambdaCtor(), true);

I think the problem is as follows. We clone f twice. Normally, each time we call the constructor, we fetch f.prototype, which triggers the fun_resolve hook and creates a new prototype object. We end up with two prototype objects, one for each cloned function. At the end, we're asserting that the second cloned function's .prototype equals the second object's .__proto__.

However, doing the gc triggers a recompilation of the empty lambda in the second loop iteration. Rather than calling the fun_resolve hook, the jit compiler fetches the prototype out of the function's type object. This isn't the cloned function--it's the one stored in the bytecode. So it gets the prototype from the first iteration. After the loop, when it does the ===, it finally generates a new .prototype via fun_resolve. This will be different than the first iteration's .prototype, so we fail.

I have no idea how to fix this. Maybe we could detect that f has been cloned more than once and not do the optimization in this case? Could you take a look, Brian?
(In reply to Bill McCloskey (:billm) from comment #0)
> I have no idea how to fix this. Maybe we could detect that f has been cloned
> more than once and not do the optimization in this case? Could you take a
> look, Brian?

Mmm, the problem is that the getSingleton in the function resolve hook is not accounting for future prototypes constructed via the resolve hook.  The right fix is to only inline construction of 'this' for functions with singleton types, i.e. toplevel functions rather than those nested inside another function or in a loop.  (The 'new' Class.create function in the Prototype library is an inner function, but the patch in bug 638794 handles that by giving such inner functions their own singleton types).
Fixed by the bug 706110 patch (will include this testcase when pushing that fix).
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.