Closed Bug 170193 Opened 22 years ago Closed 22 years ago

adding a property after middle-delete of a function with duplicate formal args

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.2beta

People

(Reporter: brendan, Assigned: brendan)

Details

(Keywords: js1.5)

Attachments

(1 file, 1 obsolete file)

precise fix
2.04 KB, patch
shaver
: review+
Details | Diff | Splinter Review
hangs or crashes the JS engine. The testcase is easy, given an understanding of the bug, which I found by reviewing code (for the umpteenth time). This was run with the upcoming patch applied, so it shows the correct behavior: js> function f(a,a,b){} js> f.c=42 42 js> f.d=43 43 js> delete f.c // "middle delete" true js> f.e=44 44 js> /be
Status: NEW → ASSIGNED
Keywords: js1.5, mozilla1.2
Priority: -- → P1
Target Milestone: --- → mozilla1.2beta
Attached patch proposed fix (obsolete) — Splinter Review
Without the tmp variable to count the remaining ancestors in this "middle delete in the scope of a function with duplicate formals" case, sprop had to be restored to its value before the do { i++; } while ((sprop = sprop->parent) != NULL) loop. But it can't be restored to its pre-loop value by loading spvec[i], which used to be spvec[0] -- that saved property pointer points to a descendent (not necessarily the immediate child) of the pre-loop sprop. Better to use a temporary and leave sprop alone. I don't know what I was thinking, but re-reading this case shows the glaring 'sprop = spvec[i];\n }\n spvec[--i] = sprop;' sequence, which would store sprop in two adjacent slots in spvec, leading to a nasty iloop. Shaver, you know this code -- can you r=? Thanks. /be
Attached patch precise fixSplinter Review
Let's get i exactly right when correcting the original estimate of the net ancestor line height (net of middle-deleted properties -- see the big comment in jsscope.h near the top). The previous patch assumed that there were no more middle-deletes lurking on the ancestor line after scope->entryCount net ancestors had been enumerated into spvec. /be
Attachment #100156 - Attachment is obsolete: true
The second patch is really future proofing (an unlikely future, at that): you can't delete argument properties of function objects (a SpiderMonkey extension), because they're JSPROP_PERMANENT. But you'd have to delete a property above (defined earlier) duplicate formal parameter properties on the ancestor line. There ain't no other such property -- native Function.prototype properties are all permanent too. /be
Comment on attachment 100169 [details] [diff] [review] precise fix r=shaver.
Attachment #100169 - Flags: review+
Fixed, thanks for the fast review! /be
Status: ASSIGNED → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Testcase added to JS testsuite - mozilla/js/tests/js1_5/Regress/regress-170193.js
Verified FIXED. The testcase used to hang, but now executes successfully in both the debug and optimized JS shell on WinNT -
Status: RESOLVED → VERIFIED
Flags: testcase+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: