Closed
Bug 254974
Opened 20 years ago
Closed 20 years ago
introducing a function at the beginning of a function causes the program to change behavior
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8alpha3
People
(Reporter: timeless, Assigned: brendan)
References
Details
(Keywords: js1.5)
Attachments
(3 files)
steps: 1. run xpcshell or jsshell 2. paste the attached testcase into it. note: you can *not* use load() to load the testcase as load optimizes away the unused empty function resulting in expected results. expected results: DIV actual results: DIV[@id="test"] I believe that adding the function seems to upset the regexp object used to fill the array.
Assignee | ||
Comment 2•20 years ago
|
||
Trunk-only bug, fallout from the mega-patch for bug 165201 and bug 169559. /be
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8alpha3
Assignee | ||
Comment 3•20 years ago
|
||
All local var and arg properties in funobjs should be JSPROP_SHARED. The one whose define call is patched here was added for the JSOP_DEFLOCALVAR bytecode, but was not made shared, so its slot could collide with a reserved (by fun->nregexps, which isn't set till after the function body's code has been generated, well after parse time) slot for a regexp. /be
Assignee | ||
Updated•20 years ago
|
Attachment #155645 -
Flags: review?(shaver)
Assignee | ||
Updated•20 years ago
|
Status: NEW → ASSIGNED
OS: Windows XP → All
Hardware: PC → All
Comment 4•20 years ago
|
||
Comment on attachment 155645 [details] [diff] [review] proposed fix That's a keeper. Run the testsuite before committing, please! Nice catch, timeless. *hat-tip*
Attachment #155645 -
Flags: review?(shaver) → review+
Assignee | ||
Comment 5•20 years ago
|
||
Fixed, testsuite ran cleanly (same nine known errors, at least four of them bogus). /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
Comment 6•20 years ago
|
||
timeless, I assume it is ok with you to include this in the javascript test library.
Comment 7•20 years ago
|
||
js1_5/Regress/regress-254974.js checked in.
Comment 8•20 years ago
|
||
Brendan, the testcase I checked in relies on load to load the scripts. As Timeless said, this prevents the bug from appearing. I tried creating the functions via an eval on a string, but the bug didn't show its face. Do you have any suggestions on how to make the bug manifest itself when |load|ed from jsDriver?
Assignee | ||
Comment 9•20 years ago
|
||
It's just luck that the js shell (but not xpcshell, note well) does not enable the JSOPTION_COMPILE_N_GO option when compiling and then executing standard input, but does when Load'ing. If JSFRAME_EVAL or JSFRAME_COMPILE_N_GO (the latter induced by the corresponding JSOPTION_) is set, the compiler will emit a JSOP_OBJECT for a regexp literal, optimizing away the need for a function slot that would collide, given this bug (i.e., with the patch backed out), with the unintended nested function variable slot. I don't see a way to test this without a shell extension, or by piping stdin to the shell. Can't you do the latter from the perl driver, using a here document even? Perhaps we just need a bit more test framework here. If not, let me know and I'll make a shell extension (LoadSpecial or LoadDeoptimized or something). /be
Comment 10•20 years ago
|
||
I could munge jsDriver to use stdin perhaps as an option however that does not appear to help in this case. doing cat test.js | js does not exhibit the bug. I guess a shell extension is required.
Updated•20 years ago
|
Flags: testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•