Closed
Bug 1374462
Opened 7 years ago
Closed 7 years ago
Super references incorrectly compute |this|
Categories
(Core :: JavaScript Engine, enhancement)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla56
Tracking | Status | |
---|---|---|
firefox56 | --- | fixed |
People
(Reporter: shu, Assigned: shu)
References
Details
Attachments
(1 file)
(deleted),
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
Ted found this when he was testing behavior between us and V8. Consider the following:
class C { get prop_this() { return this; } }
class D extends C { super_get() { return super.prop_this } }
new D().super_get.call(3); // Supposed to be unboxed 3
Class definitions are always strict, which means |this| values aren't supposed to be boxed. However, we currently always box '3', because we don't correctly implement super properties. Namely, Super References [1] are like References but have an additional |this| value. We instead go through the usual GetProperty path in JSOP_GETPROP_SUPER, and always end up boxing the receiver.
[1] https://tc39.github.io/ecma262/#super-reference
Comment 1•7 years ago
|
||
I found it. We use FETCH_OBJECT in interpreter when we shouldn't.
https://dxr.mozilla.org/mozilla-central/rev/72346a4d6afcc17504f911190dbf470100e879ec/js/src/vm/Interpreter.cpp#2790
Quick fix makes the test pass. GETELEM_SUPER needs more plumbing to use Value instead of Object.
Assignee: nobody → tcampbell
Assignee | ||
Comment 2•7 years ago
|
||
Assignee | ||
Comment 3•7 years ago
|
||
(In reply to Ted Campbell [:tcampbell] from comment #1)
> I found it. We use FETCH_OBJECT in interpreter when we shouldn't.
>
> https://dxr.mozilla.org/mozilla-central/rev/
> 72346a4d6afcc17504f911190dbf470100e879ec/js/src/vm/Interpreter.cpp#2790
>
> Quick fix makes the test pass. GETELEM_SUPER needs more plumbing to use
> Value instead of Object.
Oops, sorry, I didn't see that you had already assigned it to yourself.
Assignee | ||
Updated•7 years ago
|
Attachment #8879356 -
Flags: review?(jorendorff)
Comment 4•7 years ago
|
||
Thanks for doing the patch. I hadn't started it yet.
Assignee: tcampbell → shu
Comment 5•7 years ago
|
||
This also fixes the following bug, but it is unclear why. There seems to be an underlying issue to investigate.
> class C {
> get foo() { return "Hello"; }
> }
> C.prototype[0] = "zero";
> C.prototype["undefined"] = "ಠ_ಠ";
>
> class D extends C {
> sup(pname) { return super[pname]; }
> }
>
> let d = new D();
> assertEq(d.sup(0), "zero");
> assertEq(d.sup("foo"), "Hello");
Flags: needinfo?(shu)
Comment 6•7 years ago
|
||
https://searchfox.org/mozilla-central/rev/b425854d9bbd49d5caf9baef3686e49ec91c17ec/js/src/vm/Interpreter.cpp#2914
https://searchfox.org/mozilla-central/rev/b425854d9bbd49d5caf9baef3686e49ec91c17ec/js/src/vm/Interpreter-inl.h#517
The input key and output value alias in the existing code. Then the GetPropertyNoGC call writes output to undefined and after they key is re-read and results in property "undefined" being looked up.
Flags: needinfo?(shu)
Updated•7 years ago
|
Attachment #8879356 -
Flags: review?(jorendorff) → review+
Comment 7•7 years ago
|
||
That aliasing bug. Ew.
Pushed by shu@rfrn.org:
https://hg.mozilla.org/integration/mozilla-inbound/rev/5cac74206e4e
Fix super getprop and super getelem to not box 'this' values. (r=jorendorff)
Comment 10•7 years ago
|
||
bugherder |
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox56:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in
before you can comment on or make changes to this bug.
Description
•