Closed Bug 252892 Opened 21 years ago Closed 21 years ago

for (var i in o) in heavyweight function f does not define i in f's activation

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8alpha3

People

(Reporter: brendan, Assigned: brendan)

Details

(Keywords: js1.5)

Attachments

(4 files, 4 obsolete files)

js shell testcase from newsgroup post
374 bytes, patch
Details | Diff | Splinter Review
js shell testcase
2.45 KB, text/plain
Details
best fix, take 2
15.53 KB, patch
shaver
: review+
asa
: approval-aviary+
mkaply
: approval1.7.5+
Details | Diff | Splinter Review
js1_5/Regress/regress-252892.js
4.20 KB, text/plain
Details
Bad bug, shows longstanding lack of testsuite coverage for the testcase (attached next). Patch soon. /be
Status: NEW → ASSIGNED
Priority: -- → P1
Target Milestone: --- → mozilla1.8alpha3
Easy fix, very old logic bug in the code generator. Dates back to the introduction of JSOP_DEFVAR, where this for/in case was not revisited to ensure that the js_EmitTree TOK_VAR case code ran for a for/in loop starting with a declared but uninitialized as well as declared and initialized variable. /be
Comment on attachment 154198 [details] [diff] [review] proposed fix based on the JS_150_RC6a tag (applies to trunk too) Oops, testsuite discloses a bug in this patch. v2 patch soon. /be
Attachment #154198 - Attachment is obsolete: true
Attached patch better fix (obsolete) — Splinter Review
Man, this kicked my ass! Easy, forsooth! Ok, shaver will love this. /be
Comment on attachment 154220 [details] [diff] [review] better fix - EmitAtomOp returns its ale, so the new code under TOK_FOR can pass ALE_INDEX(ale) to MaybeEmitPrologOp. - Common subroutine MaybeEmitPrologOp for the two cases where we need its guts: the pre-existing TOK_VAR case in js_EmitTree, and now the TOK_FOR for (var x in o) case (but *not* the for (var x = i in o) case). - In the for (var x = i in o) case, where the js_EmitTree called recursively to emit code for var x = i before the loop has quickened x into a local var or arg, we would wrongly emit JSOP_FORNAME (another bug, not reported here). We must fix this by testing (pn3->pn_slot >= 0) and rewriting op to be a JSOP_FOR* variant. /be
Attachment #154220 - Flags: review?(shaver)
Attached patch even better fix (obsolete) — Splinter Review
Size comparison shows this patch winning (this patch is >, previous patch is <): 49c49 < 29201 264 0 29465 7319 jsemit.o (ex Linux_All_OPT.OBJ/libjs.a) --- > 28857 264 0 29121 71c1 jsemit.o (ex Linux_All_OPT.OBJ/libjs.a) 62c62 < 22015 8 0 22023 5607 jsparse.o (ex Linux_All_OPT.OBJ/libjs.a) --- > 22031 8 0 22039 5617 jsparse.o (ex Linux_All_OPT.OBJ/libjs.a) 72c72 < 443372 10068 236 453676 6ec2c Linux_All_OPT.OBJ/libjs.so --- > 442608 10068 236 452912 6e930 Linux_All_OPT.OBJ/libjs.so /be
Attachment #154220 - Attachment is obsolete: true
Comment on attachment 154423 [details] [diff] [review] even better fix The use of |= PNX_* is future-proofing, so if there are new flags set earlier, they won't be stomped and whoever adds them doesn't have to check all downstream code. You can see this slightly increased jsparse.o's size (that was a -O2 Makefile.ref build). But the jsemit.c flag-based code is significantly smaller than the code-ier previous patch. /be
Attachment #154423 - Flags: review?(shaver)
Attachment #154220 - Flags: review?(shaver)
Comment on attachment 154423 [details] [diff] [review] even better fix Argh, buggy. Plus, I can make it even smaller. /be
Attachment #154423 - Attachment is obsolete: true
Attachment #154423 - Flags: review?(shaver)
Attached patch best fix (obsolete) — Splinter Review
I'll attach a js shell testcase next. /be
Comment on attachment 154461 [details] [diff] [review] best fix More caffeine needed -- almost right. /be
Attachment #154461 - Attachment is obsolete: true
Attached file js shell testcase
Attachment #154464 - Attachment is patch: false
Attached patch best fix, take 2Splinter Review
This is it. Passes the test, and here is the size diff vs. the initial patch in this bug: 49c49 < 29201 264 0 29465 7319 jsemit.o (ex Linux_All_OPT.OBJ/libjs.a) --- > 28857 264 0 29121 71c1 jsemit.o (ex Linux_All_OPT.OBJ/libjs.a) 62c62 < 22015 8 0 22023 5607 jsparse.o (ex Linux_All_OPT.OBJ/libjs.a) --- > 22031 8 0 22039 5617 jsparse.o (ex Linux_All_OPT.OBJ/libjs.a) 72c72 < 443372 10068 236 453676 6ec2c Linux_All_OPT.OBJ/libjs.so --- > 442608 10068 236 452912 6e930 Linux_All_OPT.OBJ/libjs.so /be
Comment on attachment 154469 [details] [diff] [review] best fix, take 2 Commented, tested with test attached (but who will update the suite? I miss you, pschwartau!). /be
Attachment #154469 - Flags: review?(shaver)
Comment on attachment 154469 [details] [diff] [review] best fix, take 2 The additional control coupling between the parser and the TOK_VAR emission code doesn't thrill me to my very core, but it's a pretty minimal fix, and even preserves the nutso |for (var x = i in o)| case. r=shaver.
Attachment #154469 - Flags: review?(shaver) → review+
That coupling is ok on balance. At least the parser fully describes subtrees in ways that can be unambiguously interpreted. Again, the complexity here arises from doing prolog JSOP_DEFVAR etc. code generation during the main code-gen tree walk. Hoisting vardecls into a per-script-node list as Narcissus does cleans this up, at the cost of storage for the list. Anyway, I'm going to check a trunk version of the patch in tomorrow. I'd like to get this fix into aviary and 1.7.x, and make a JS15_RC6b or some such. I'll ping Phil about the latter. /be
Flags: blocking1.7.2?
Flags: blocking-aviary1.0PR?
Flags: blocking-aviary1.0?
Comment on attachment 154469 [details] [diff] [review] best fix, take 2 Very old code-generation bug, may as well try to fix it almost everywhere. /be
Attachment #154469 - Flags: approval1.7.2?
Attachment #154469 - Flags: approval-aviary?
Comment on attachment 154469 [details] [diff] [review] best fix, take 2 a=asa (on behalf of the Aviary drivers) for checkin to the aviary branch.
Attachment #154469 - Flags: approval-aviary? → approval-aviary+
Fixed on trunk and aviary branch. Cc'ing mkaply and dveditz for some 1.7.2 love. /be
Status: ASSIGNED → RESOLVED
Closed: 21 years ago
Flags: blocking-aviary1.0PR?
Flags: blocking-aviary1.0?
Keywords: fixed-aviary1.0
Resolution: --- → FIXED
Comment on attachment 154469 [details] [diff] [review] best fix, take 2 a=mkaply for 1.7.3
Attachment #154469 - Flags: approval1.7.3? → approval1.7.3+
Checked into MOZILLA_1_7_BRANCH: Checking in jsemit.c; /cvsroot/mozilla/js/src/jsemit.c,v <-- jsemit.c new revision: 3.96.2.2; previous revision: 3.96.2.1 done Checking in jsparse.c; /cvsroot/mozilla/js/src/jsparse.c,v <-- jsparse.c new revision: 3.101.2.1; previous revision: 3.101 done Checking in jsparse.h; /cvsroot/mozilla/js/src/jsparse.h,v <-- jsparse.h new revision: 3.23.2.1; previous revision: 3.23 done /be
Keywords: fixed1.7
Flags: blocking1.7.5?
thanks to be.
js1_5/Regress/regress-252892.js checked in.
Flags: testcase+
js1_5/Regress/regress-252892.js fails ff 1.0.8/1.7.13_20060214 on winxp. Not sure when it regressed yet.
failures on all three platforms going back to firefox 1.0/1.7.5
Keywords: fixed-aviary1.0, fixed1.7
verified fixed 1.8.0, 1.8, 1.9 20060818 win/mac*/linux
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: