167325 - JS shell not giving an error on invalid call to default value of an object

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Phil Schwartau]

In the JS shell, define this object, type "obj" and hit <Enter>:

js> var obj = {toString: function() {return new Object();}}
js> obj
       <---- NO RETURN VALUE AND NO ERROR


When we type "obj" and hit <Enter>, we are asking for the default value
of |obj|. This should look up the first toString() method it can find
on the prototype chain. It finds the one we defined on |obj| itself.
But in bug 166420, Brendan pointed out:

> This toString method must generate an error, per ECMA-262 Edition 3
> 8.6.2.6, where you'll end up at step 9 given a non-primitive value 
> returned from toString and no valueOf (or a valueOf that returns a
> non-primitive value).


Section 8.6.2.6 [[DefaultValue]] (hint)

When the [[DefaultValue]] method of O is called with hint String,
the following steps are taken:

1. Call the [[Get]] method of object O with argument "toString".
2. If Result(1) is not an object, go to step 5.
3. Call the [[Call]] method of Result(1), with O as the this value
   and an empty argument list.
4. If Result(3) is a primitive value, return Result(3).
5. Call the [[Get]] method of object O with argument "valueOf".
6. If Result(5) is not an object, go to step 9.
7. Call the [[Call]] method of Result(5), with O as the this value
   and an empty argument list.
8. If Result(7) is a primitive value, return Result(7).
9. Throw a TypeError exception.

Comment 1

[Phil Schwartau]

I assigned this one to Brendan, since he has diagnosed the problem
and provided a patch:

> The js shell intentionally (js.c line 374) suppresses error reports from 
> the JS_ValueToString call it makes to convert the result of a command to 
> a string.  I don't recall why.  I'm not sure I did the deed, even -- 
> lemme check cvs history... hmm, fur landed that change with the comments 
> "Merge changes from SpiderMonkey140_BRANCH.  Note: none of the added 
> files participate in the client build."

> It looks like a bug to me -- try the attached patch with all your 
> shell-based tests 


I did try this patch, and it passed the JS testsuite in both the 
debug and optimized JS shell. I will attach Brendan's patch below.

Comment 2

[Phil Schwartau]

Attachment: Brendan's patch

Comment 3

[Brendan Eich [:brendan]]

Fixed (no r= needed for js.c, this was a clear win anyhoo).

/be

Comment 4

[Phil Schwartau]

Verified Fixed:

js> var obj = {toString: function() {return new Object();}}


------------------------ BEFORE THE FIX -------------------------
js> obj
       <---- NO RETURN VALUE AND NO ERROR

Meanwhile, other implicit conversions to string were properly failing:

js> print(obj);
3: TypeError: can't convert obj to string

js> obj == 'abc';
4: TypeError: can't convert [object Object] to primitive type


------------------------ AFTER THE FIX -------------------------
js> obj
can't convert Object to string

js> print(obj);
6: TypeError: can't convert obj to string

js> obj == 'abc';
8: TypeError: can't convert [object Object] to primitive type



Note: it was impossible for me to expose this bug via the 
Perl test driver. Any test I tried to create seemed to
hit a different codepath that the one we hit with <Enter>.

That is why I had to verify this interactively in the shell -

Comment 5

[Phil Schwartau]

I have checked in a test anyway:

          js/tests/ecma_3/Object/8.6.2.6-001.js

This enforces the ECMA-262 Edition 3 algorithm, Section 8.6.2.6.
This is the observation Brendan made above and in bug 166420.

But as I indicated above, this test already passed before the fix
for this bug was checked in. A TypeError was already being generated
as it was supposed to; it just wasn't always visible in the JS shell -

Comment 6

[Phil Schwartau]

Note: I've filed a bug on why we don't see "TypeError" or the line number in:
           
js> obj
can't convert Object to string

See bug 167328,
"Need more information in certain error messages"