IonMonkey optimizes calls to DOM getters, setters and methods. Our (shell) fuzzers are currently unable to test any of this though, because the shell does not expose any getters/setters with attached jitinfo. Adding some getters/setters/methods to the shell shouldn't be hard and will get us a lot of extra fuzz testing for free. Note that we should also add some jit-tests, so that the fuzzers have something to mutate.
This adds a FakeDOMObject constructor to the shell. It returns an object with a getter, setter and method with attached JitInfo. I verified IonMonkey uses its DOM instructions to access these, and I could reproduce some (browser) problems we found recently in the shell. I don't have much time to add more stuff, but I think this is a good starting point. We can add additional objects/getters/setters/methods later.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #693295 - Flags: review?(bzbarsky)
Comment on attachment 693296 [details] [diff] [review] Patch r=me, sorry for the lag!
Attachment #693296 - Flags: review?(bzbarsky) → review+
@decoder, gkw, Jesse: with this patch, "new FakeDOMObject()" in the shell returns an object with properties "x" and "doFoo". Can you guys make sure these are properly fuzzed? I also added a jit-test (tests/basic/test-jitinfo.js) so that the fuzzers that mutate existing tests will test it automatically.
This got backed out in: http://hg.mozilla.org/integration/mozilla-inbound/rev/8a7b7f1ac53a
(In reply to Gary Kwong [:gkw] from comment #7) > This got backed out in: > > http://hg.mozilla.org/integration/mozilla-inbound/rev/8a7b7f1ac53a Nope, the bug number in that commit message is wrong :) Bug 823165 was backed out.
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.