Closed Bug 465220 Opened 16 years ago Closed 16 years ago

nested imacro abort not cleanly handled (botches assertions)

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1

People

(Reporter: brendan, Assigned: brendan)

Details

(Keywords: testcase, verified1.9.1)

Attachments

(2 files)

testcase
120 bytes, text/plain
Details
proposed fix
5.26 KB, patch
mrbkap
: review+
beltzner
: approval1.9.1b2+
Details | Diff | Splinter Review
Attached file testcase 
The attached test shows this. It works in the optimized js shell:

./Darwin_OPT.OBJ/js -j obad.js
obad.js:4: TypeError: can't convert ({toString:(function ()  > 2 ? this : "false")}) to primitive type

but a debug shell botches an anti-nesting assertion in TraceRecorder::call_imacro and (if that's replaced by runtime coping code) one in js_DecompileValueGenerator (or under it).

/be
Flags: blocking1.9.1?
(In reply to comment #0)
> Created an attachment (id=348471) [details]
> testcase
> 
> The attached test shows this. It works in the optimized js shell:
> 
> ./Darwin_OPT.OBJ/js -j obad.js
> obad.js:4: TypeError: can't convert ({toString:(function ()  > 2 ? this :
> "false")}) to primitive type

Yikes! What happened to the left operand of > (namely, i)? Investigating...

/be
Note also "foo" became "false" -- dead giveaway that fp->imacpc was set and we used the common atom pool instead of the script's pool. That explains the empty string instead of i in the ?: condition.

/be
Attached patch proposed fixSplinter Review 
Note that js_DecompileValueGenerator is the only cx->fp->regs->pc-sensitive entry point to the decompiler (AFAIK -- double check me here please).

The jsscript.h fix avoids using the common atom pool when decompiling a function from a script in an imacro (say, one trying to format an error message).

/be
Attachment #348478 - Flags: review?(mrbkap)
This is one to watch for b2. We may find conversions requiring imacros that throw in the wild.

/be
Priority: -- → P1
Flags: blocking1.9.1? → blocking1.9.1+
Attachment #348478 - Flags: approval1.9.1b2?
Comment on attachment 348478 [details] [diff] [review]
proposed fix

Goosing review, this is not something I'm happy shipping b2 without.

/be
Attachment #348478 - Flags: review?(mrbkap) → review+
Comment on attachment 348478 [details] [diff] [review]
proposed fix

I worry about the use of cx->fp->regs.pc in Decompile (checking if we're decompiling a get op)... r=mrbkap with that looked into
(In reply to comment #6)
> (From update of attachment 348478 [details] [diff] [review])
> I worry about the use of cx->fp->regs.pc in Decompile (checking if we're
> decompiling a get op)... r=mrbkap with that looked into

That's why js_DecompileValueGenerator swaps back fp->imacpc (which is in-script) for the imacro pc in fp->regs->pc, and restores after calling DecompileExpression.

Other Decompile callers do not depend on any active frame referring to the script being decompiled.

/be
Attachment #348478 - Flags: approval1.9.1b2? → approval1.9.1b2+
Comment on attachment 348478 [details] [diff] [review]
proposed fix

a1.9.1b2=beltzner
Fixed on m-c:

http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Keywords: testcase
test landed http://hg.mozilla.org/mozilla-central/rev/9c143f56d841 and cvs
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: