Fix for bug 848088 (IonMonkey: property get IC for DOM list proxies fails to detect expando). r=jandem.
authorPeter Van der Beken <peterv@propagandism.org>
Wed, 06 Mar 2013 22:45:59 +0100
changeset 126111 92278dbb6657e22a5542ce1511f9a9200a97c62a
parent 126110 62a4aa80d668ed0d4915c6eb55d43a216d548b4d
child 126112 35c42e6784fb3557df515bb7a967bfa76583a313
push id24475
push userphilringnalda@gmail.com
push dateTue, 26 Mar 2013 04:34:11 +0000
treeherdermozilla-central@456cb08f8509 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersjandem
bugs848088
milestone22.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Fix for bug 848088 (IonMonkey: property get IC for DOM list proxies fails to detect expando). r=jandem.
dom/tests/mochitest/bugs/Makefile.in
dom/tests/mochitest/bugs/test_bug848088.html
js/src/ion/IonCaches.cpp
js/src/methodjit/PolyIC.cpp
--- a/dom/tests/mochitest/bugs/Makefile.in
+++ b/dom/tests/mochitest/bugs/Makefile.in
@@ -136,16 +136,17 @@ MOCHITEST_FILES	= \
 		file_empty.html \
 		test_domparser_after_blank.html \
 		iframe_domparser_after_blank.html \
 		test_sizetocontent_clamp.html \
 		test_protochains.html \
 		test_bug817476.html \
 		test_bug823173.html \
 		test_bug850517.html \
+		test_bug848088.html \
 		$(NULL)
 
 ifneq (Linux,$(OS_ARCH))
 MOCHITEST_FILES += \
 		test_resize_move_windows.html \
 		$(NULL)
 else
 $(filter disabled-on-linux-for-timeouts--bug-677841, test_resize_move_windows.html)
new file mode 100644
--- /dev/null
+++ b/dom/tests/mochitest/bugs/test_bug848088.html
@@ -0,0 +1,48 @@
+<!DOCTYPE HTML>
+<html>
+<!--
+https://bugzilla.mozilla.org/show_bug.cgi?id=848088
+-->
+<head>
+  <meta charset="utf-8">
+  <title>Test for Bug 848088</title>
+  <script type="application/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css"/>
+  <script type="application/javascript">
+
+  /** Test for Bug 848088 **/
+
+function test(loopFor, setExpandoAt)
+{
+    var list = document.getElementsByTagName("audio");
+    delete list.length;
+    var shouldHaveExpando = false;
+    var realLength = list.length;
+    for (var i = 0; i < loopFor; ++i) {
+        if (i == setExpandoAt) {
+            // Add an expando that shadows.
+            Object.defineProperty(list, "length", { value: "a" });
+            shouldHaveExpando = true;
+        }
+        var hasExpando = (list.length != realLength);
+        if (shouldHaveExpando != hasExpando) {
+            return false;
+        }
+    }
+    return true;
+}
+
+ok(test(200000, 100000), "Correctly detected expando on DOM list object");
+
+ </script>
+</head>
+<body>
+<a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=848088">Mozilla Bug 848088</a>
+<p id="display"></p>
+<div id="content" style="display: none">
+
+</div>
+<pre id="test">
+</pre>
+</body>
+</html>
--- a/js/src/ion/IonCaches.cpp
+++ b/js/src/ion/IonCaches.cpp
@@ -478,34 +478,30 @@ struct GetNativePropertyStub
             Label failListBaseCheck;
             Label listBaseOk;
 
             Value expandoVal = obj->getFixedSlot(GetListBaseExpandoSlot());
             JSObject *expando = expandoVal.isObject() ? &(expandoVal.toObject()) : NULL;
             JS_ASSERT_IF(expando, expando->isNative() && expando->getProto() == NULL);
 
             masm.loadValue(expandoAddr, tempVal);
-            if (expando && expando->nativeLookup(cx, propName)) {
-                // Reference object has an expando that doesn't define the name.
-                // Check incoming object's expando and make sure it's an object.
 
-                // If checkExpando is true, we'll temporarily use register(s) for a ValueOperand.
-                // If we do that, we save the register(s) on stack before use and pop them
-                // on both exit paths.
+            // If the incoming object does not have an expando object then we're sure we're not
+            // shadowing.
+            masm.branchTestUndefined(Assembler::Equal, tempVal, &listBaseOk);
 
+            if (expando && !expando->nativeContains(cx, propName)) {
+                // Reference object has an expando object that doesn't define the name. Check that
+                // the incoming object has an expando object with the same shape.
                 masm.branchTestObject(Assembler::NotEqual, tempVal, &failListBaseCheck);
                 masm.extractObject(tempVal, tempVal.scratchReg());
                 masm.branchPtr(Assembler::Equal,
                                Address(tempVal.scratchReg(), JSObject::offsetOfShape()),
                                ImmGCPtr(expando->lastProperty()),
                                &listBaseOk);
-            } else {
-                // Reference object has no expando.  Check incoming object and ensure
-                // it has no expando.
-                masm.branchTestUndefined(Assembler::Equal, tempVal, &listBaseOk);
             }
 
             // Failure case: restore the tempVal registers and jump to failures.
             masm.bind(&failListBaseCheck);
             masm.popValue(tempVal);
             masm.jump(&stubFailure);
 
             // Success case: restore the tempval and proceed.
--- a/js/src/methodjit/PolyIC.cpp
+++ b/js/src/methodjit/PolyIC.cpp
@@ -1295,17 +1295,17 @@ class GetPropCompiler : public PICStubCo
             Value expandoValue = obj->getFixedSlot(GetListBaseExpandoSlot());
             JSObject *expando = expandoValue.isObject() ? &expandoValue.toObject() : NULL;
 
             // Expando objects just hold any extra properties the object has
             // been given by a script, and have no prototype or anything else
             // that will complicate property lookups on them.
             JS_ASSERT_IF(expando, expando->isNative() && expando->getProto() == NULL);
 
-            if (expando && expando->nativeLookup(cx, name) == NULL) {
+            if (expando && !expando->nativeContains(cx, name)) {
                 Jump expandoGuard = masm.testObject(Assembler::NotEqual, expandoAddress);
                 if (!shapeMismatches.append(expandoGuard))
                     return error();
 
                 masm.loadPayload(expandoAddress, pic.shapeReg);
                 pic.shapeRegHasBaseShape = false;
 
                 Jump shapeGuard = masm.branchPtr(Assembler::NotEqual,