Closed Bug 822385 Opened 8 years ago Closed 8 years ago

Add getters/setters/methods with jitinfo to the shell

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla20

People

(Reporter: jandem, Assigned: jandem)

References

Details

Attachments

(1 file, 1 obsolete file)

IonMonkey optimizes calls to DOM getters, setters and methods. Our (shell) fuzzers are currently unable to test any of this though, because the shell does not expose any getters/setters with attached jitinfo.

Adding some getters/setters/methods to the shell shouldn't be hard and will get us a lot of extra fuzz testing for free. Note that we should also add some jit-tests, so that the fuzzers have something to mutate.
Attached patch Patch (obsolete) — Splinter Review
This adds a FakeDOMObject constructor to the shell. It returns an object with a getter, setter and method with attached JitInfo. I verified IonMonkey uses its DOM instructions to access these, and I could reproduce some (browser) problems we found recently in the shell.

I don't have much time to add more stuff, but I think this is a good starting point. We can add additional objects/getters/setters/methods later.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #693295 - Flags: review?(bzbarsky)
Attached patch PatchSplinter Review
Attachment #693295 - Attachment is obsolete: true
Attachment #693295 - Flags: review?(bzbarsky)
Attachment #693296 - Flags: review?(bzbarsky)
Comment on attachment 693296 [details] [diff] [review]
Patch

r=me, sorry for the lag!
Attachment #693296 - Flags: review?(bzbarsky) → review+
@decoder, gkw, Jesse: with this patch, "new FakeDOMObject()" in the shell returns an object with properties "x" and "doFoo". Can you guys make sure these are properly fuzzed? I also added a jit-test (tests/basic/test-jitinfo.js) so that the fuzzers that mutate existing tests will test it automatically.
(In reply to Gary Kwong [:gkw] from comment #7)
> This got backed out in:
> 
> http://hg.mozilla.org/integration/mozilla-inbound/rev/8a7b7f1ac53a

Nope, the bug number in that commit message is wrong :) Bug 823165 was backed out.
https://hg.mozilla.org/mozilla-central/rev/91dae8287643
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.