Closed
Bug 847119
Opened 12 years ago
Closed 12 years ago
DOM exception is not caught properly
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker])
Attachments
(4 files)
(deleted),
text/html
|
Details | |
(deleted),
text/html
|
Details | |
(deleted),
patch
|
jandem
:
review+
lsblakk
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jandem
:
review+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
With: user_pref("javascript.options.ion.parallel_compilation", false); user_pref("javascript.options.methodjit.content", false); And a build compiled with: --enable-debug --enable-optimize (!!) Various bad things happening after ion-compiling the function: function domthrows() { document.documentElement.appendChild(null); } Regression from bug 839116 part 2?
Reporter | ||
Comment 1•12 years ago
|
||
Assertion failure: !JS_IsExceptionPending(cx), at js/src/jsiter.cpp:737 In js_ThrowStopIteration
Reporter | ||
Comment 2•12 years ago
|
||
Reporter | ||
Comment 3•12 years ago
|
||
Our Tinderbox debug builds are built with --enable-optimize, so you should be able to reproduce the bug using e.g. https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1362259729/
Assignee | ||
Comment 4•12 years ago
|
||
> Regression from bug 839116 part 2?
For appendChild on the <html>, perhaps. What about:
var xhr = new XMLHttpRequest();
function domthrows() { xhr.open(); }
? I don't see what the DOM code could possibly be doing to make this complicated for the jit per se, except if the specialized Ion codepath for DOM calls is busted.
Assignee | ||
Comment 5•12 years ago
|
||
So as expected, turning off the code bug 773549 added makes this problem go away. I checked, and we never take the target->jitInfo()->isInfallible branch in CodeGenerator::visitCallDOMNative, which is not surprising. So we are in fact generating the exception-handling code the other branch puts in.... Here's what JIT Inspector has to say about domthrows() when I write it per comment 4: [CallDOMNative] ... set up the call ... call *%rax addq $0x8, %rsp pop %rsp testl %eax, %eax je ((279)) movq 0x30(%rsp), %rcx jmp ((289)) ##link ((279)) jumps to ((289)) subq $0x8, %rsp movq %rsp, %rax movq %rsp, %rcx andq $0xfffffff0, %rsp push %rcx subq $0x8, %rsp movq %rax, %rdi movl %esp, %eax testq $0xf, %rax je ((326)) int3 ##link ((326)) jumps to ((327)) movabsq $0x101446870, %rax call *%rax addq $0x8, %rsp pop %rsp movabsq $0xfffa00000000000f, %rcx movq 0x0(%rsp), %rsp ret ##link ((289)) jumps to ((359)) addq $0x38, %rsp and then we have the [TypeBarrier]. Sean, does that (and the code in CodeGenerator::visitCallDOMNative in general) look obviously wrong in some way?
Assignee | ||
Comment 6•12 years ago
|
||
And actually requesting needinfo from Sean... ;)
Flags: needinfo?(sstangl)
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Updated•12 years ago
|
Keywords: regression
Assignee | ||
Comment 7•12 years ago
|
||
Attachment #721285 -
Flags: review?(jdemooij)
Assignee | ||
Updated•12 years ago
|
Assignee: nobody → bzbarsky
Comment 8•12 years ago
|
||
Comment on attachment 721285 [details] [diff] [review] Fix the "did the DOM call throw?" test in IonMonkey to check the return value correctly. Review of attachment 721285 [details] [diff] [review]: ----------------------------------------------------------------- Don't we have to fix GetDOMProperty and SetDOMProperty too, since they have a similar check? r=me with that addressed.
Attachment #721285 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 9•12 years ago
|
||
> Don't we have to fix GetDOMProperty and SetDOMProperty too
Nice catch. I can't come up with a testcase that fails for those, but of course whether we fail depends on what's in the register....
Assignee | ||
Comment 10•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/da51c5373da5 Jan, do you think we should backport this to branches?
Flags: needinfo?(sstangl)
Flags: needinfo?(jdemooij)
Flags: in-testsuite+
Target Milestone: --- → mozilla22
Comment 11•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #10) > Jan, do you think we should backport this to branches? Not sure how critical/common this issue is, but it would be good to backport imo. The fix is simple and we use similar code elsewhere. The main problem I see is that there's no branchTestBool on beta (aurora has it though), but should be easy to backport that, just a few lines of code.
Flags: needinfo?(jdemooij)
Assignee | ||
Comment 12•12 years ago
|
||
Attachment #721383 -
Flags: review?(jdemooij)
Assignee | ||
Comment 13•12 years ago
|
||
Comment on attachment 721285 [details] [diff] [review] Fix the "did the DOM call throw?" test in IonMonkey to check the return value correctly. [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 773549 User impact if declined: Possible incorrect behavior for some websites; more easily hit now that more objects are on WebIDL bindings. Testing completed (on m-c, etc.): Passes attached test. Risk to taking this patch (and alternatives if risky): Risk should be quite low. String or UUID changes made by this patch: None.
Attachment #721285 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•12 years ago
|
Attachment #721383 -
Flags: approval-mozilla-beta?
Updated•12 years ago
|
Attachment #721383 -
Flags: review?(jdemooij) → review+
Comment 14•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/da51c5373da5
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
Attachment #721285 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 15•12 years ago
|
||
Comment on attachment 721383 [details] [diff] [review] Beta patch Looks good, let's get this in soon so we have some bake time in beta 4/5 to make sure there's no unexpected fallout before shipping.
Attachment #721383 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Comment 16•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/8323e52f55db https://hg.mozilla.org/releases/mozilla-beta/rev/1a2504b4c344
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•