Closed
Bug 802384
Opened 13 years ago
Closed 13 years ago
IonMonkey: Bug in GeneratePrototypeGuards in IonCache.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla19
People
(Reporter: djvj, Unassigned)
Details
(Whiteboard: [ion:t])
Attachments
(1 file)
|
1.42 KB,
patch
|
mjrosenb
:
review+
|
Details | Diff | Splinter Review |
The |GeneratePrototypeGuards| function in IonCaches.cpp, in the case where an object in the prototype chain has an uncacheable prototype, and also has a singleton type, incorrectly checks the prototype against 'obj->proto()' (which will remain the same for all loop iterations), as opposed to 'pobj->proto()'.
Looking at the code which marks objects as having uncacheble prototypes, it seems that an object will never be marked as having an uncacheable prototype if it has a singleton type.
This incorrect code will never get executed because the two conditions it executes under are never both true. Suggest replacing the entire block with a |JS_ASSERT(!pobj->hasSingletonType())|.
|
Reporter | |
Comment 1•13 years ago
|
||
Patch passes jstests and jit-tests with debug build ion 64-bit linux.
Running through try:
https://tbpl.mozilla.org/?tree=Try&rev=32796e87970d
|
|
Reporter | |
Comment 2•13 years ago
|
||
Comment on attachment 672052 [details] [diff] [review]
Patch
Tbpl looks clean enough.
Attachment #672052 -
Flags: review?(mrosenberg)
|
||
Updated•13 years ago
|
Attachment #672052 -
Flags: review?(mrosenberg) → review+
|
||
Updated•13 years ago
|
Whiteboard: [ion:t]
|
||
Comment 3•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite-
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
You need to log in
before you can comment on or make changes to this bug.
Description
•