Closed Bug 254974 Opened 20 years ago Closed 20 years ago

introducing a function at the beginning of a function causes the program to change behavior

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8alpha3

People

(Reporter: timeless, Assigned: brendan)

References

Details

(Keywords: js1.5)

Attachments

(3 files)

code which confuses xpcshell/jsshell when pasted
330 bytes, text/plain
Details
proposed fix
1.42 KB, patch
shaver
: review+
Details | Diff | Splinter Review
js1_5/Regress/regress-254974.js
2.69 KB, text/plain
Details 
steps:
1. run xpcshell or jsshell
2. paste the attached testcase into it.
note: you can *not* use load() to load the testcase as load optimizes away the
unused empty function resulting in expected results.

expected results:
DIV

actual results:
DIV[@id="test"]

I believe that adding the function seems to upset the regexp object used to fill
the array.
Trunk-only bug, fallout from the mega-patch for bug 165201 and bug 169559.

/be
Assignee: general → brendan
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: js1.5
Priority: -- → P1
Target Milestone: --- → mozilla1.8alpha3
Attached patch proposed fixSplinter Review 
All local var and arg properties in funobjs should be JSPROP_SHARED.  The one
whose define call is patched here was added for the JSOP_DEFLOCALVAR bytecode,
but was not made shared, so its slot could collide with a reserved (by
fun->nregexps, which isn't set till after the function body's code has been
generated, well after parse time) slot for a regexp.

/be
Attachment #155645 - Flags: review?(shaver)
Status: NEW → ASSIGNED
OS: Windows XP → All
Hardware: PC → All
Comment on attachment 155645 [details] [diff] [review]
proposed fix

That's a keeper.  Run the testsuite before committing, please!

Nice catch, timeless. *hat-tip*
Attachment #155645 - Flags: review?(shaver) → review+
Fixed, testsuite ran cleanly (same nine known errors, at least four of them bogus).

/be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
timeless, I assume it is ok with you to include this in the javascript test
library.
js1_5/Regress/regress-254974.js checked in.
Brendan, the testcase I checked in relies on load to load the scripts. As
Timeless said, this prevents the bug from appearing. I tried creating the
functions via an eval on a string, but the bug didn't show its face. Do you have
any suggestions on how to make the bug manifest itself when |load|ed from jsDriver? 
It's just luck that the js shell (but not xpcshell, note well) does not enable
the JSOPTION_COMPILE_N_GO option when compiling and then executing standard
input, but does when Load'ing.  If JSFRAME_EVAL or JSFRAME_COMPILE_N_GO (the
latter induced by the corresponding JSOPTION_) is set, the compiler will emit a
JSOP_OBJECT for a regexp literal, optimizing away the need for a function slot
that would collide, given this bug (i.e., with the patch backed out), with the
unintended nested function variable slot.

I don't see a way to test this without a shell extension, or by piping stdin to
the shell.  Can't you do the latter from the perl driver, using a here document
even?  Perhaps we just need a bit more test framework here.  If not, let me know
and I'll make a shell extension (LoadSpecial or LoadDeoptimized or something).

/be
I could munge jsDriver to use stdin perhaps as an option however that does not
appear to help in this case. doing cat test.js | js does not exhibit the bug. I
guess a shell extension is required.
Depends on: 290656
Flags: testcase+
verified fixed.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: