Last Comment Bug 708261 - findReferences crashes in shell js/tests (js1_8_5/extensions/findReferences-01.js et al)
: findReferences crashes in shell js/tests (js1_8_5/extensions/findReferences-0...
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: All All
: -- normal (vote)
: mozilla11
Assigned To: Jason Orendorff [:jorendorff]
:
: Jason Orendorff [:jorendorff]
Mentors:
: 698379 704131 707747 (view as bug list)
Depends on:
Blocks: 697479 708838
  Show dependency treegraph
 
Reported: 2011-12-07 08:51 PST by Jason Orendorff [:jorendorff]
Modified: 2011-12-09 06:55 PST (History)
4 users (show)
jimb: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
v1 (6.92 KB, patch)
2011-12-07 15:38 PST, Jason Orendorff [:jorendorff]
jimb: review+
Details | Diff | Splinter Review

Description Jason Orendorff [:jorendorff] 2011-12-07 08:51:39 PST
REGRESSIONS
    js1_5/Regress/regress-96526-003.js
    js1_8/extensions/regress-422269.js
    js1_8/genexps/regress-380237-01.js
    js1_8_5/extensions/findReferences-01.js
    js1_8_5/extensions/findReferences-02.js
    js1_8_5/extensions/findReferences-03.js
    js1_8_5/extensions/findReferences-04.js
Comment 1 Jason Orendorff [:jorendorff] 2011-12-07 14:36:20 PST
findReferences always crashes now.

The first bad revision is:
changeset:   81246:ff51ddfdf5d1
parent:      77573:44ef245b8706
user:        Brian Hackett <bhackett1024@gmail.com>
date:        Wed Sep 28 15:04:55 2011 -0700
summary:     Remove shape numbers and Shape::slotSpan, factor Shape getter/setter into BaseShape, bug 684505.
Comment 2 Jason Orendorff [:jorendorff] 2011-12-07 15:38:09 PST
Created attachment 579876 [details] [diff] [review]
v1

It was previously possible to get output containing the property id for getters and setters, but it seems this is no longer feasible, since the graph is like this:

  shape -> propid
  shape -> base -> getter

I think multiple properties with different names can share 'base'.
Comment 3 Jason Orendorff [:jorendorff] 2011-12-07 15:39:36 PST
The above patch does not solve the problems with
    js1_5/Regress/regress-96526-003.js
    js1_8/extensions/regress-422269.js
    js1_8/genexps/regress-380237-01.js
all of which seem to be older issues, and perhaps only happen on Mac with the new compiler.
Comment 4 Jim Blandy :jimb 2011-12-07 16:23:40 PST
*** Bug 707747 has been marked as a duplicate of this bug. ***
Comment 5 Jim Blandy :jimb 2011-12-07 16:23:48 PST
*** Bug 704131 has been marked as a duplicate of this bug. ***
Comment 6 Jim Blandy :jimb 2011-12-07 16:24:03 PST
*** Bug 698379 has been marked as a duplicate of this bug. ***
Comment 7 Jim Blandy :jimb 2011-12-07 16:52:58 PST
So is the bug here that MarkChildren is passing PrintPropertyGetterOrSetter, which expects the debugArg to be a Shape *, but supplying a BaseShape * instead?
Comment 8 Jim Blandy :jimb 2011-12-07 16:55:02 PST
findReferences should just report the graph edges that the GC gives it; it needn't jump through hoops to try to get getter/setter names. So getting 'shape; base; getter' instead of 'shape; foo getter' is totally fine.
Comment 9 Jason Orendorff [:jorendorff] 2011-12-08 07:59:03 PST
(In reply to Jim Blandy :jimb from comment #7)
> So is the bug here that MarkChildren is passing PrintPropertyGetterOrSetter,
> which expects the debugArg to be a Shape *, but supplying a BaseShape *
> instead?

Yes. However, since the BaseShape doesn't have the information PrintPropertyGetterOrSetter used to print, there's no point using a debugPrinter function there at all.

(In reply to Jim Blandy :jimb from comment #8)
> findReferences should just report the graph edges that the GC gives it; it
> needn't jump through hoops to try to get getter/setter names.

Great.
Comment 10 Jim Blandy :jimb 2011-12-08 11:49:21 PST
Comment on attachment 579876 [details] [diff] [review]
v1

Review of attachment 579876 [details] [diff] [review]:
-----------------------------------------------------------------

Splendid, splendid. Thanks for sorting this out!
Comment 12 Jason Orendorff [:jorendorff] 2011-12-08 16:10:22 PST
Changing the description to be more specific. The rest of the failing tests will have to get their own bugs. I made one for the "too much recursion" stuff. In fact I made two, but bug 708862 is the better report.
Comment 13 Ed Morley [:emorley] 2011-12-09 06:55:42 PST
https://hg.mozilla.org/mozilla-central/rev/e7785a537e5d

Note You need to log in before you can comment on or make changes to this bug.