Closed Bug 204210 Opened 21 years ago Closed 21 years ago

new eval() triggers ArrayIndexOutOfBoundsException in interpreted mode

Categories

(Rhino Graveyard :: Core, defect)

Product:
Rhino Graveyard
Component:
Core
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: igor, Assigned: norrisboyd)

Details

(Whiteboard: QA note: verify the fix for this bug interactively)

Attachments

(1 file)

Fix: eval call reorganization
15.96 KB, patch
Details | Diff | Splinter Review 
The following one line script causes ArrayIndexOutOfBoundsException in
interpreted mode:

new eval();

~> java -jar ~/.../js.jar -opt -1 -e 'new eval()'
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException
        at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:2117)
        at org.mozilla.javascript.InterpretedScript.call(InterpretedScript.java:62)
        at org.mozilla.javascript.InterpretedScript.exec(InterpretedScript.java:5
...


For the test case it may be necessary to use code like:

function f()
{
	new eval();
}

f();

since the bug corrupts interpreter stack and it may not be visible if new eval()
is not a single statement in function/script.
Testcase added to JS testsuite:

          mozilla/js/tests/js1_5/Regress/regress-204210.js

The testcase puts |new eval();| inside |try...catch| blocks, since in Rhino
this construct is supposed to produce a run-time error due to bug 203909,
"Behavior of built-in functions called as constructors should follow standard."

However: the Rhino interpreted-mode crash on |new eval();|, i.e. the
current bug, isn't occurring when |new eval();| is inside |try...catch|!

So it looks like I'll have to verify the fix for this bug manually -
Whiteboard: QA note: verify the fix for this bug interactively
The patch merges ScriptRuntime.callSpecial and ScriptRuntime.newObjectSpecial
into single ScriptRuntime.callSpecial which takes a boolean flag to indicate if
this is a call from new and a special call type id as parameter for better
error reporting so new eval() prints:
js: "<stdin>", line 1: uncaught JavaScript exception: TypeError: "eval" is not
a constructor. (<stdin>; line 1)
I committed the fix
Status: NEW → RESOLVED
Closed: 21 years ago
Resolution: --- → FIXED
Verified FIXED interactively in the Rhino shell:


------------------------- BEFORE THE FIX -------------------------
js> new eval();
Exception in thread "main" java.lang.ArrayIndexOutOfBoundsException: -1
at org.mozilla.javascript.Interpreter.interpret(Interpreter.java:2115)
at org.mozilla.javascript.InterpretedScript.call(InterpretedScript.java:62)
at org.mozilla.javascript.InterpretedScript.exec(InterpretedScript.java:55)
at org.mozilla.javascript.Context.evaluateReader(Context.java:806)
at org.mozilla.javascript.tools.shell.Main.evaluateReader(Main.java:363)
at org.mozilla.javascript.tools.shell.Main.processSource(Main.java:260)
at org.mozilla.javascript.tools.shell.Main.exec(Main.java:103)
at org.mozilla.javascript.tools.shell.Main.main(Main.java:76)



-------------------------- AFTER THE FIX -------------------------
js> new eval();
js: "<stdin>", line 1: uncaught JavaScript exception:
TypeError: "eval" is not a constructor. (<stdin>; line 1)
Status: RESOLVED → VERIFIED
Targeting as resolved against 1.5R5
Target Milestone: --- → 1.5R5
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: