Closed Bug 595706 Opened 14 years ago Closed 14 years ago

JM: Unresponsive Script Warning on mootools-1.2-core.js?cb=20080614

Categories

(Core :: JavaScript Engine, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

VERIFIED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: ezra, Assigned: dmandelin)

References

()

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:2.0b6pre) Gecko/20100912 Firefox/4.0b6pre Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:2.0b6pre) Gecko/20100912 Firefox/4.0b6pre When loading the page with javascript.options.methodjit.content = true. The script on www.moviemeter.nl will become unresponsive. Tested this with methodjit on and off and on a clean profile. The script works fine when methodjit.content is false. Reproducible: Always Steps to Reproduce: 1. Use Nightly build with methodjid.content = true 2. Navigate to http://moviemeter.nl 3. Wait till the browser responds again. Actual Results: Minefield will show an Unresponsive Script warning dialog. Expected Results: Executed the script without problems
Script: http://www.moviemeter.nl/libs/mootools-1.2-core.js?cb=20080614 (Line 51): for(var B=0,A=this.length;B<A;B++){var C=$type(this[B]);if(!C){continue;}D=D.concat((C=="array"||C=="collection"||C=="arguments")?Array.flatten(this[B]):this[B]);
Assignee: nobody → general
Severity: major → normal
Component: General → JavaScript Engine
Product: Firefox → Core
QA Contact: general → general
Summary: JaegerMonkey causes Unresponsive Script → JM: Unresponsive Script Warning on mootools-1.2-core.js?cb=20080614
Version: unspecified → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true
blocking2.0: --- → betaN+
Disabling PICs for JSOP_LENGTH makes the bug go away.
Attached patch Patch (deleted) — Splinter Review
This is basically a typo bug in the PIC for length of args objects. The arguments object PIC was guarding that the object was a slow array. Thus, if the program had |a.length| where a was an arguments object the first time through, then we would get incorrect results on any successive call where a was a slow array. There was actually a second bug there as well: the args object PIC wasn't shifting out the override bit, so if the length was 3, we would end up saying 6 instead. Thanks to everyone that reported a version of this bug: obviously it was affecting at least 4 sites, but I suspect it may have been causing intermittent errors in other places as well.
Assignee: general → dmandelin
Status: NEW → ASSIGNED
Attachment #474857 - Flags: review?(cdleary)
Comment on attachment 474857 [details] [diff] [review] Patch Two nits: might want to use a slow array with a different expected value that's not a pow2-multiple, and I think our JS follows useArg2 cap style.
Attachment #474857 - Flags: review?(cdleary) → review+
(In reply to comment #7) > Comment on attachment 474857 [details] [diff] [review] > Patch > > Two nits: might want to use a slow array with a different expected value that's > not a pow2-multiple, Not sure what you mean: the expected result is 3. >and I think our JS follows useArg2 cap style. Fixed. http://hg.mozilla.org/tracemonkey/rev/614c81c9fda4
Whiteboard: fixed-in-tracemonkey
(In reply to comment #8) > Not sure what you mean: the expected result is 3. Just meant that you're charging the PIC with a result value that is expected to be 3 for the arguments, maybe you'd want to use a different number of values (like... 5) in the slow array case. No biggie!
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Mozilla/5.0 (Windows NT 5.1; rv:2.0b7pre) Gecko/20100917 Firefox/4.0b7pre ID:20100917041014 Sites are working correctly now with methodjit enabled! VERIFIED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: