Closed Bug 602441 Opened 15 years ago Closed 15 years ago

JM: Botched extensibility checking when attempting to add a new property to an object

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: Waldo, Assigned: Waldo)

References

Details

Attachments

(2 files)

1 - Patch and test (also fixes a second bug!)
7.30 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review
2: Remove dead property-setting property-cache code
5.11 KB, patch
brendan
: review+
Details | Diff | Splinter Review
Method JIT: [jwalden@find-waldo-now src]$ dbg/js -j -m js> var o = Object.preventExtensions({}); js> var output = []; js> for (var i = 0; i < 5; i++) try { o.u = ""; output.push(i + ": no exception"); } catch (e) { output.push(i + ": " + e); } 5 js> print(output.join("\n")); 0: no exception 1: TypeError: o.u is not extensible 2: no exception 3: no exception 4: no exception Tracing only: [jwalden@find-waldo-now src]$ dbg/js -j js> var o = Object.preventExtensions({}); js> var output = []; js> for (var i = 0; i < 5; i++) try { o.u = ""; output.push(i + ": no exception"); } catch (e) { output.push(i + ": " + e); } 5 js> print(output.join("\n")); 0: no exception 1: no exception 2: no exception 3: no exception 4: no exception Tracing is correct: only in strict mode should we be throwing a TypeError. This is only observable a tree with bug 600128 fixed (should land tomorrow). Note also that that bug's test includes a non-chatty version of the above example (using freeze rather than preventExtensions -- the former subsumes the latter's minimal lockdown). When it lands, that test will be disabled in browser (where it fails) and partially disabled in shell when the methodjit option's set, so it'll need to be adjusted when fixing this bug.
Looking at the revision implementing extensibility: http://hg.mozilla.org/tracemonkey/rev/aa9b86572020 I see I flat-out removed some if-sealed code from the SetPropCompiler implementation, which seems...likely wrong. Betting that's the thing to fix, will kick off a build with the likely fix to test in the morning...
Status: NEW → ASSIGNED
Yay for tests! In trying to be more careful about getting all the edge cases when test-writing, I stumbled on an improper assertion of extensibility (that's what the assertion move is all about) -- so we get two fixes in one here, of course with testing goodness.
Attachment #481662 - Flags: review?(dmandelin)
In looking at other potentially dodgy isExtensible() assertions, I noticed an instance that looked bad. Talking it over on IRC, plus looking at PropertyCache::testForSet, revealed the entire bit of code to be dead -- this patch kills it, slightly adjusts surrounding code, and fixes up docs.
Attachment #481664 - Flags: review?(brendan)
Oh, I pushed the fix for bug 600128 to TM just now: http://hg.mozilla.org/tracemonkey/rev/7fc2209ef579
Comment on attachment 481664 [details] [diff] [review] 2: Remove dead property-setting property-cache code ..12345678901234567890123456789012345678901234567890123456789012345678901234567890 >+ * Property cache hit, only partially confirmed by testForSet. We >+ * know that the entry applies to regs.pc and that obj's shape >+ * matches. > * > * The entry predicts either a new property to be added > * directly to obj by this set, or on an existing "own" Mega-nit: may as well rewrap (vim Q2j or equivalent) the second paragraph here too. Thanks for finding this! /be
Attachment #481664 - Flags: review?(brendan) → review+
Very early on in the push for Firefox 3, hacking the proprerty cache to win against kjs on SunSpider, I overreached and tried to cache prototype object hits (setters). Then I backed off. That left the logic (you can see it in cvs.m.o) seeming to handle a "full test" (hit on a non-direct prototype) at first, but then bailing because (obj == obj2) conditions failed. So this was dead code all along! /be
Attachment #481662 - Flags: review?(dmandelin) → review+
http://hg.mozilla.org/mozilla-central/rev/a827b3a89300 is this fixed? It looks like both patches went to to TM and MC.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
The second patch landed in TM, but we still had some code that triggered the dead code, so a bunch of test runs were orange from the !!atom assertion. With titles gone, the second patch should be fine now: http://hg.mozilla.org/tracemonkey/rev/56645320b950 Hasn't passed tinderboxen yet, but a linux64 try run I kicked off last night came back all green, so I expect it's good.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: