Closed Bug 72354 Opened 24 years ago Closed 24 years ago

js_SetProperty needs to resolve lazy setters

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla0.9.1

People

(Reporter: jband_mozilla, Assigned: brendan)

References

Details

(Keywords: js1.5)

Attachments

(4 files)

proposed fix, per previous comment -- pls. help test and review
28.88 KB, patch
Details | Diff | Splinter Review
Fix deleted, watched set-property case (one line change from last patch; the other line that changed was just a comment nit-pick).
28.93 KB, patch
Details | Diff | Splinter Review
assertion location
4.24 KB, text/plain
Details
help the js_DropScopeProperty assertion (jsscope.c patch only, replaces patch for that file in earlier attachments)
2.07 KB, patch
Details | Diff | Splinter Review
brendan and I have discussed this issue. I'm filing a bug to track it. this turns out to be a blocker for landing xpconnect flattening on trunk (an activity I'm not yet ready to do, BTW). .... jband wrote .... I'm having problems with setters on protos and js_SetProperty. The situation I have is with a lazily resolved setter on a prototype. The code in js_SetProperty does not do anything that forces a resolve as it walks the proto chain: http://lxr.mozilla.org/seamonkey/source/js/src/jsobj.c#2295 So, I end up with a situation where if the property with a getter/setter has been previously resolved on the proto then a set of the property on the object will use the proto's setter and all is well. But, if that property has not been previously resolved on the proto then js_SetProperty will fail to discover the setter on the proto and just add a plain old property to my object. I'm not seeing a resolve on the target object either for that matter. Is js_SetProperty wrong to not force a resolve on the objects in the proto chain? Can you suggest what I might do to get around this? Am I just missing something? It appears that I might get away with some hackery in my JSClass.setProperty callback to patch the getter/setter into place (and call it) before returning. Is this my best option? Thanks, John. .... brendan replied .... ECMA clearly specifies that a [[Put]] creates a property in the object at hand, not in one of its prototypes (8.6.2.2, 8.6.2.3). We violate that a bit by inheriting getter, setter, and attrs if a shadow-able prot-property of the same id exists; see the XXX comments in js_SetProperty. I don't think ECMA users can tell the difference in our impl, except where magic native getter and setter hooks are used -- and then we may be fooling Mother ECMA so that the difference (an optimization in our impl) is not detectable. I'm not sure -- I haven't spent much time trying, and have not constructed a case that violates ECMA detectably. Given that, we could call resolve in js_SetProperty. Want a patch? /be
Status: NEW → ASSIGNED
Keywords: js1.5, mozilla0.9
Target Milestone: --- → mozilla0.9
As I noted in private mail to brendan... Hmm. I realise now that it isn't just a question of looking at the prototype. I really need it to try a resolve on the target object (just do a js_LookupProperty?). This is because I have a case where the (as yet unresolved) setter is on the target object, not the proto. So, by not forcing a resolve, we fail to discover the lazily resolved setter and try to write a new property in its place. It seems like this whole function can get simpler by starting with a js_LookupProperty call. [brendan replied to an earlier message expressing a dislike of adding too much cost to js_SetProperty. I don't see how we can have lazy setters without doing most of what js_LookupProperty does here.]
jband: consider the watchpoint-restoring code -- it needs a symbol that has a null entry.value (sprop is null). Hard to discern by calling js_LookupProperty. I'm hacking on a patch right now. /be
[This remains a blocker that must be resolved before landing the xpcdom branch] I changed the summary to reflect the fact that this is not just a proto issue - we need to (potentially) resolve starting with the target object and then on up the proto chain to find a lazy setter.
Summary: Need to call resolve up proto chain in SetProperty → js_SetProperty needs to resolve lazy setters
Pushing out, but jband and jst need this to land the xpcdom branch, so I'll fix it ASAP. /be
Keywords: mozilla0.9mozilla0.9.1
Priority: -- → P1
Target Milestone: mozilla0.9 → mozilla0.9.1
Depends on: 70358
Blocks: 71483
Patch coming up includes the patch in bug 70358, which I still want shaver to review. If you ignore the jsapi.c and jscntxt.h changes, and skip the js_LookupProperty part of the jsobj.c patch, then you can review independently. I didn't want to decouple the patches into two trees (I have several trees, too full of patches already -- but I really wanted to think about and work on these two bugs in the same tree). /be
I decided to bite the bullet and call js_LookupProperty from js_SetProperty, what a concept. The runtime cost should not be terrible given the property cache and other costs, but I haven't measured. The main complexity lies in dealing with the JS_THREADSAFE-only "hold" (sprop->nrefs++) done by js_LookupProperty on the *propp out param it returns. I'm keeping this case JS_THREADSAFE-only, but of course *any* call-out to a setter needs to be preceded by a hold and followed by a drop, in case of delete. The old js_SetProperty code did this, but knew it didn't have a hold already in the JS_THREADSAFE case (because it did raw scope->lookup calls to get symbols, it did not js_LookupProperty). To help catch sprop->nrefs underflows, I added an assertion in js_DropScopeProperty on the last-drop case that the property's symbol-id is no longer in scope. This required revising jshash.c (divergence from NSPR1, first time in years?) to unlink entries from hash chains as it destroys a table, so that they can't be found by freeEntry callback code. Man, I need to nuke all this symbol and chain crap with JS_DOUBLE_HASHING soon! jst: help test and I'll pay you back with tequila! /be
Ooh, tequila, how could I saw no? Brendan, you have yourself a deal! I've applied your patches and done some initial testing, so far so good. I'll report back if I find problems after testing some more.
I tested this some more, and it appears to be working just fine, I've made sure setters are properly resolved up the proto chain on both XPConnect'ed objects and on pure JS objects, and I've seen no bad side effects caused by this patch.
I'd already run mozilla, xpcshell, and the js testsuite before attaching that patch, but I had not tested watchpoints. The patch forgot to hold sprop when reconnecting it to its symbol, in the "set of a deleted, watched property" case in the #if JS_HAS_OBJ_WATCHPOINT block near the top of js_SetProperty. Patch to fix that coming up. /be
I applied and ran mozilla and the first thing it did was botch an assert in js_DropScopeProperty (the one: JS_ASSERT(!scope->ops->lookup...). I'll attach the stack.
Attached file assertion location
I see that the addition of this assertion is your only change to jsscope.c. hmm.
argh, my testing was all optimized (presumably so was jst's). That assertion botches wrongly when an existing property is redefined. New patch (just to jsscope.c) coming up. /be
Yes, I was running an optimized build too :-(
Correction: my mozilla and xpcshell testing was all optimized. I run the js testsuite on a debug js shell. Now for that patch.... /be
Reviewing and testing buddies, please bless the revised aggregate patch soon. I really need to get on with JS_DOUBLE_HASHING (more evidence: JSSymbol.scope is unused! a waste of four bytes per JSSymbol, which itself is a waste). /be
I don't know what I might be doing wrong, but I can't compile the JS shell on WinNT after applying the two patches above. Method: 1. pull js/src into a fresh directory 2. apply patch id=34383 3. delete jsscope.c 4. re-pull jsscope.c 5. apply patch id=34464 6. make -f Makefile.ref I get a warning when jsobj.c is being compiled: jsobj.c(2399) : warning C4013: 'HOLD_SCOPE_PROPERTY' undefined; assuming extern returning int Soon after this, the build fails: Creating library WINNT4.0_DBG.OBJ/js32.lib and object WINNT4.0_DBG.OBJ/js32.exp jsobj.obj : error LNK2001: unresolved external symbol _HOLD_SCOPE_PROPERTY WINNT4.0_DBG.OBJ/js32.dll : fatal error LNK1120: 1 unresolved externals make[1]: *** [WINNT4.0_DBG.OBJ/js32.dll] Error 96 make: *** [all] Error 2
I dunno Phil. It builds for me. Does your jsscope.h not have a #define of HOLD_SCOPE_PROPERTY ? It's in the id=34383 patch.
brendan: I've been reading and rereading a side-by-side diff of js_SetProperty. I pretty much got it. I can't see anything wrong. I'm kinda lost on the watchpoint changes. I had fun tracing through the lock mgmt! Most of the rest I reviewed elsewhere. As is so often the case: I have to trust you got it right because I can't see anything that might be wrong. r/sr=jband I'm hoping shaver will give it a thorough once over too.
I've been running a debug build with these patches and I don't see any problems, no assertions or anything caused by these changes.
jband: you were right, for some reason my jsscope.h was not affected by the patch, even though my console output said that is was: [/d/JS_EXP/mozilla/js/src] patch < 72354_34383.patch patching file `jsapi.c' patching file `jscntxt.h' patching file `jshash.c' patching file `jsobj.c' patching file `jsscope.c' patching file `jsscope.h' ALTHOUGH IT SAYS, "patching file `jsscope.h'", IT DID NOTHING TO IT: [/d/JS_EXP/mozilla/js/src] grep HOLD_SCOPE_PROPERTY jsscope.h [/d/JS_EXP/mozilla/js/src] cvs stat jsscope.h =================================================================== File: jsscope.h Status: Up-to-date Working revision: 3.15 Repository revision: 3.15 /cvsroot/mozilla/js/src/jsscope.h,v Sticky Tag: (none) Sticky Date: (none) Sticky Options: (none) [/d/JS_EXP/mozilla/js/src] cvs diff -rHEAD jsscope.h COMPARE: IT DID DO THE RIGHT THING TO jsapi.c: [/d/JS_EXP/mozilla/js/src] cvs stat jsapi.c =================================================================== File: jsapi.c Status: Locally Modified Working revision: 3.100 Repository revision: 3.100 /cvsroot/mozilla/js/src/jsapi.c,v Sticky Tag: (none) Sticky Date: (none) Sticky Options: (none) I don't mean to sidetrack this bug, but has anyone ever heard of this? I've seen patch fail before, but a SILENT failure like this one? I had no idea that jsscope.h had not been patched... Was this a Linux patch file needing its line terminators modified in order to work correctly on Windows?
Fix is in, shaver can bless me after the fact. /be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Marking Verified -
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: