Closed
Bug 465220
Opened 16 years ago
Closed 16 years ago
nested imacro abort not cleanly handled (botches assertions)
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9.1
People
(Reporter: brendan, Assigned: brendan)
Details
(Keywords: testcase, verified1.9.1)
Attachments
(2 files)
120 bytes,
text/plain
|
Details | |
5.26 KB,
patch
|
mrbkap
:
review+
beltzner
:
approval1.9.1b2+
|
Details | Diff | Splinter Review |
The attached test shows this. It works in the optimized js shell: ./Darwin_OPT.OBJ/js -j obad.js obad.js:4: TypeError: can't convert ({toString:(function () > 2 ? this : "false")}) to primitive type but a debug shell botches an anti-nesting assertion in TraceRecorder::call_imacro and (if that's replaced by runtime coping code) one in js_DecompileValueGenerator (or under it). /be
Flags: blocking1.9.1?
Assignee | ||
Comment 1•16 years ago
|
||
(In reply to comment #0) > Created an attachment (id=348471) [details] > testcase > > The attached test shows this. It works in the optimized js shell: > > ./Darwin_OPT.OBJ/js -j obad.js > obad.js:4: TypeError: can't convert ({toString:(function () > 2 ? this : > "false")}) to primitive type Yikes! What happened to the left operand of > (namely, i)? Investigating... /be
Assignee | ||
Comment 2•16 years ago
|
||
Note also "foo" became "false" -- dead giveaway that fp->imacpc was set and we used the common atom pool instead of the script's pool. That explains the empty string instead of i in the ?: condition. /be
Assignee | ||
Comment 3•16 years ago
|
||
Note that js_DecompileValueGenerator is the only cx->fp->regs->pc-sensitive entry point to the decompiler (AFAIK -- double check me here please). The jsscript.h fix avoids using the common atom pool when decompiling a function from a script in an imacro (say, one trying to format an error message). /be
Attachment #348478 -
Flags: review?(mrbkap)
Assignee | ||
Comment 4•16 years ago
|
||
This is one to watch for b2. We may find conversions requiring imacros that throw in the wild. /be
Assignee | ||
Updated•16 years ago
|
Priority: -- → P1
Updated•16 years ago
|
Flags: blocking1.9.1? → blocking1.9.1+
Assignee | ||
Updated•16 years ago
|
Attachment #348478 -
Flags: approval1.9.1b2?
Assignee | ||
Comment 5•16 years ago
|
||
Comment on attachment 348478 [details] [diff] [review] proposed fix Goosing review, this is not something I'm happy shipping b2 without. /be
Updated•16 years ago
|
Attachment #348478 -
Flags: review?(mrbkap) → review+
Comment 6•16 years ago
|
||
Comment on attachment 348478 [details] [diff] [review] proposed fix I worry about the use of cx->fp->regs.pc in Decompile (checking if we're decompiling a get op)... r=mrbkap with that looked into
Assignee | ||
Comment 7•16 years ago
|
||
(In reply to comment #6) > (From update of attachment 348478 [details] [diff] [review]) > I worry about the use of cx->fp->regs.pc in Decompile (checking if we're > decompiling a get op)... r=mrbkap with that looked into That's why js_DecompileValueGenerator swaps back fp->imacpc (which is in-script) for the imacro pc in fp->regs->pc, and restores after calling DecompileExpression. Other Decompile callers do not depend on any active frame referring to the script being decompiled. /be
Updated•16 years ago
|
Attachment #348478 -
Flags: approval1.9.1b2? → approval1.9.1b2+
Comment 8•16 years ago
|
||
Comment on attachment 348478 [details] [diff] [review] proposed fix a1.9.1b2=beltzner
Assignee | ||
Comment 9•16 years ago
|
||
Fixed on tm: http://hg.mozilla.org/tracemonkey/rev/905234b7b9e4 /be
Comment 10•16 years ago
|
||
Fixed on m-c: http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Comment 11•16 years ago
|
||
test landed http://hg.mozilla.org/mozilla-central/rev/9c143f56d841 and cvs
Flags: in-testsuite+
Flags: in-litmus-
Updated•16 years ago
|
Keywords: fixed1.9.1
Comment 12•16 years ago
|
||
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•