Add getters/setters/methods with jitinfo to the shell

RESOLVED FIXED in mozilla20

Status

()

defect
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: jandem, Assigned: jandem)

Tracking

unspecified
mozilla20
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

IonMonkey optimizes calls to DOM getters, setters and methods. Our (shell) fuzzers are currently unable to test any of this though, because the shell does not expose any getters/setters with attached jitinfo.

Adding some getters/setters/methods to the shell shouldn't be hard and will get us a lot of extra fuzz testing for free. Note that we should also add some jit-tests, so that the fuzzers have something to mutate.
Posted patch Patch (obsolete) — Splinter Review
This adds a FakeDOMObject constructor to the shell. It returns an object with a getter, setter and method with attached JitInfo. I verified IonMonkey uses its DOM instructions to access these, and I could reproduce some (browser) problems we found recently in the shell.

I don't have much time to add more stuff, but I think this is a good starting point. We can add additional objects/getters/setters/methods later.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #693295 - Flags: review?(bzbarsky)
Posted patch PatchSplinter Review
Attachment #693295 - Attachment is obsolete: true
Attachment #693295 - Flags: review?(bzbarsky)
Attachment #693296 - Flags: review?(bzbarsky)
Comment on attachment 693296 [details] [diff] [review]
Patch

r=me, sorry for the lag!
Attachment #693296 - Flags: review?(bzbarsky) → review+
@decoder, gkw, Jesse: with this patch, "new FakeDOMObject()" in the shell returns an object with properties "x" and "doFoo". Can you guys make sure these are properly fuzzed? I also added a jit-test (tests/basic/test-jitinfo.js) so that the fuzzers that mutate existing tests will test it automatically.
(In reply to Gary Kwong [:gkw] from comment #7)
> This got backed out in:
> 
> http://hg.mozilla.org/integration/mozilla-inbound/rev/8a7b7f1ac53a

Nope, the bug number in that commit message is wrong :) Bug 823165 was backed out.
https://hg.mozilla.org/mozilla-central/rev/91dae8287643
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Depends on: 823715
You need to log in before you can comment on or make changes to this bug.