Closed
Bug 470137
Opened 16 years ago
Closed 16 years ago
TM: Behavioral difference in addition of objects between JIT, non-JIT
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1b3
People
(Reporter: Waldo, Assigned: Waldo)
References
Details
(Keywords: verified1.9.1, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
(deleted),
patch
|
brendan
:
review+
|
Details | Diff | Splinter Review |
For ease of copy-paste: var count = 0; function toString() { ++count; if (count == 5) return {}; return "" + count; } for (var i = 0; i < 10; i++) { var o = {valueOf: undefined, toString: toString}; var q = 5 + o; } Results below with current TM: find-waldo-now:~/moz/js-tm jwalden$ rlwrap obj-i386-apple-darwin8.11.1/dist/bin/js js> var count = 0; js> function toString() { ++count; if (count == 5) return {}; return "" + count; } js> for (var i = 0; i < 10; i++) { var o = {valueOf: undefined, toString: toString}; var q = 5 + o; } typein:6: TypeError: can't convert o to primitive type js> find-waldo-now:~/moz/js-tm jwalden$ rlwrap obj-i386-apple-darwin8.11.1/dist/bin/js -j js> var count = 0; js> function toString() { ++count; if (count == 5) return {}; return "" + count; } for (var i = 0; i < 10; i++) { var o = {valueOf: undefined, toString: toString}; var q = 5 + o; } js> With JIT, at end I have count == 10 and q == 510.
Updated•16 years ago
|
Assignee: general → brendan
Blocks: 465460
Status: NEW → ASSIGNED
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: --- → mozilla1.9.1b3
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Assignee | ||
Comment 1•16 years ago
|
||
Stealing, hope you don't mind, Brendan, as I suspect you hadn't spent any substantial amount of time on this yet... We don't fall off trace currently because the return value of toString isn't assigned to any fixed-type temporaries. The reason we don't see infinite rcursion is that the returned object does stringify using Object.prototype.toString (changing the loop termination value to 5 results in q === "5[object Object]"). I'm not sure why changing |{}| to |this| and moving the |++count| increment a little don't result in infinite recursion, but I'm not especially worried about not investigating exactly what prevents infinite recursion here.
Assignee: brendan → jwalden+bmo
Attachment #354101 -
Flags: review?(brendan)
Updated•16 years ago
|
Attachment #354101 -
Flags: review?(brendan) → review+
Comment 2•16 years ago
|
||
Comment on attachment 354101 [details] [diff] [review] Patch Thanks! /be
Assignee | ||
Comment 3•16 years ago
|
||
Fixed in TM: http://hg.mozilla.org/tracemonkey/rev/65561fc2807c
Whiteboard: fixed-in-tracemonkey
Assignee | ||
Comment 4•16 years ago
|
||
Hm, it's "sideExitIntoInterpreter", not "sideExits". It seems we're actually side exiting on every loop there, no so good -- investigating...
Comment 5•16 years ago
|
||
merged to mc
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 6•16 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/d6306712a5d9
Keywords: fixed1.9.1
Comment 7•16 years ago
|
||
test included in js1_8_1/trace/trace-test.js http://hg.mozilla.org/mozilla-central/rev/8f967a7729e2
Flags: in-testsuite+
Flags: in-litmus-
Comment 8•16 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•