Closed
Bug 819611
Opened 12 years ago
Closed 12 years ago
IonMonkey: Differential Testing: Getting different output w/without --ion-eager with Object.freeze
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | --- | unaffected |
| firefox19 | --- | fixed |
| firefox20 | --- | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: djvj)
References
(Depends on 1 open bug)
Details
(Keywords: regression, testcase)
Attachments
(2 files)
|
582 bytes,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
|
306 bytes,
patch
|
gkw
:
review+
|
Details | Diff | Splinter Review |
x = []
x.push(1)
x.unshift(0)
x.unshift(0)
Object.freeze(x)
try {
x.sort(function() {
x.length = 13
})
} catch (e) {}
print(uneval(this))
shows the following output (only the last few lines copied below) on js opt shell on IonMonkey changeset 32638e411218 without --ion-eager:
/snip
}, wrapWithProto:function wrapWithProto() {
[native code]
}, x:[0, 0, 1]})
but the following output with --ion-eager:
/snip
}, wrapWithProto:function wrapWithProto() {
[native code]
}, x:[0, 0, 1, , , , , , , , , , ,]})
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 111211:2583a19e59ef
user: Kannan Vijayan
date: Tue Oct 23 22:18:11 2012 -0400
summary: Bug 795801 - IC StrictPropertyOp setters in IonMonkey. (r=dvander)
|
Reporter | |
Comment 1•12 years ago
|
||
x = [0, 0]
Object.freeze(x).map(function() {
x.length = 6
})
print(x)
shows the following without --ion-eager:
0,0
but shows the following with --ion-eager:
0,0,,,,
Kannan, do you know if bug 795801 is indeed related?Flags: needinfo?(kvijayan)
|
Assignee | |
Comment 2•12 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #1) > Kannan, do you know if bug 795801 is indeed related? It seems related from my initial tracing. I don't understand exactly how yet (it should be mimicing the same behaviour as the interpreter), but I'm looking into it.
Flags: needinfo?(kvijayan)
|
|
Assignee | |
Comment 3•12 years ago
|
||
It seems from investigation that the checker method (IsPropertySetterCallInlineable) used by the ion IC to identify is missing something before adding a stub to call the setter StrictPropertyOp. The second run around, the setter gets called mutates the frozen array. Trying to figure out what the missing check(s) are. Since the object is frozen before any of these methods are run, the issue is fixing the checks before attaching the stubs, as opposed to any guards compiled into the stub itself.
|
|
Assignee | |
Comment 4•12 years ago
|
||
Add writability check to shape when attaching setter-call stubs.
Attachment #690497 -
Flags: review?(dvander)
|
|
||
Updated•12 years ago
|
Attachment #690497 -
Flags: review?(dvander) → review+
|
|
Reporter | |
Comment 5•12 years ago
|
||
After this lands on m-c, the patch might need backporting to aurora.
Flags: in-testsuite?
Keywords: checkin-needed
|
|
Assignee | |
Comment 6•12 years ago
|
||
Test case pulled from comment 1.
Attachment #690530 -
Flags: review?(gary)
|
|
Reporter | |
Comment 7•12 years ago
|
||
Comment on attachment 690530 [details] [diff] [review] Test case. rs=me
Attachment #690530 -
Flags: review?(gary) → review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
Fix: https://hg.mozilla.org/integration/mozilla-inbound/rev/a367c96b9459 Testcase: https://hg.mozilla.org/integration/mozilla-inbound/rev/ecdeb0c29a23
|
|
Reporter | |
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Updated•12 years ago
|
Flags: in-testsuite? → in-testsuite+
|
|
Reporter | |
Updated•12 years ago
|
Assignee: general → kvijayan
Status: NEW → ASSIGNED
|
||
Comment 9•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a367c96b9459 https://hg.mozilla.org/mozilla-central/rev/ecdeb0c29a23
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 10•12 years ago
|
||
Comment on attachment 690497 [details] [diff] [review] Fix. [Approval Request Comment] Bug caused by (feature/regressing bug #): https://bugzilla.mozilla.org/show_bug.cgi?id=795801 User impact if declined: Incorrect JS behaviour (frozen objects can be modified). Testing completed (on m-c, etc.): Green on m-i tbpl. Risk to taking this patch (and alternatives if risky): Minimal. Trivial addition of extra check that disables optimizing behaviour in one case. String or UUID changes made by this patch: None.
Attachment #690497 -
Flags: approval-mozilla-aurora?
|
||
Updated•12 years ago
|
Attachment #690497 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Reporter | |
Updated•12 years ago
|
Keywords: checkin-needed
|
||
Comment 11•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/cda5f407ec84 https://hg.mozilla.org/releases/mozilla-aurora/rev/6d7da67a7c82
Keywords: checkin-needed
|
|
Reporter | |
Comment 12•12 years ago
|
||
A type of test for this bug has already been landed because it is already marked in-testsuite+ -> VERIFIED.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•