Last Comment Bug 292215 - Cannot set arguments[n] under certain circumstances
: Cannot set arguments[n] under certain circumstances
: js1.5, testcase, verified1.8
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
P3 normal (vote)
: mozilla1.8beta4
Assigned To: Brendan Eich [:brendan]
: Jason Orendorff [:jorendorff]
: 299645 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2005-04-28 05:40 PDT by Erik Fabert
Modified: 2006-04-09 20:22 PDT (History)
5 users (show)
brendan: blocking1.8b5+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

testcase (shell or browser) (436 bytes, text/html)
2005-04-28 05:41 PDT, Erik Fabert
no flags Details
fix (7.42 KB, patch)
2005-07-11 22:45 PDT, Brendan Eich [:brendan]
shaver: review+
brendan: approval1.8b4+
Details | Diff | Splinter Review

Description User image Erik Fabert 2005-04-28 05:40:59 PDT
arguments[n] cannot be set if
1. n is a positive integer or 0
2. n is >= the number of the function's formal arguments
3. n is >= the number of the function's actual arguments

See the attached testcase. Expected output:

Actual output:
Comment 1 User image Erik Fabert 2005-04-28 05:41:46 PDT
Created attachment 182057 [details]
testcase (shell or browser)
Comment 2 User image Erik Fabert 2005-04-29 04:02:53 PDT
This could be related: Given the following script

  function fun (x) {
      x = 4711
      document.writeln( arguments[0] )
  fun(1), fun()

SpiderMonkey and Navigator 3.04 output '4711 4711'. If I understand the last 
point of ECMA262 10.1.8 correctly the right result is '4711 undefined' and that 
is what I get in the other JS engines (IE, Opera, Rhino).
Comment 3 User image Brendan Eich [:brendan] 2005-06-07 19:56:02 PDT
Old bug.  Makes me regret conceding so much about arguments to MS back in the day.

Comment 4 User image Brendan Eich [:brendan] 2005-07-04 17:54:20 PDT
*** Bug 299645 has been marked as a duplicate of this bug. ***
Comment 5 User image Brendan Eich [:brendan] 2005-07-11 22:36:58 PDT
This is an ECMA conformance issue that we can fix soon.  I have a patch, and
it's safe for 1.8b4.

Comment 6 User image Brendan Eich [:brendan] 2005-07-11 22:45:03 PDT
Created attachment 189021 [details] [diff] [review]

ECMA-262 Ed. 3, 10.1.8 is hard to read in terms of SpiderMonkey.  The key is
that only actual the k arguments are reflected into the arguments object as
indexed elements, and then only the first n, where n is the number of formal
parameters, share value storage with the formal parameters.

If k >= n, then it's of course perfectly fine in SpiderMonkey to use
fp->argv[k] for value storage (there's no formal to share with, but there's no
need for a full arguments object).  If k < n, we may need an arguments object
to hold values indexed at i >= k.  These would not be actual argument values (k
is the number of actuals), just values that the callee stores for grins.

Comment 7 User image Mike Shaver (:shaver -- probably not reading bugmail closely) 2005-07-12 08:09:58 PDT
Comment on attachment 189021 [details] [diff] [review]

Comment 8 User image Brendan Eich [:brendan] 2005-07-13 17:52:51 PDT
Comment on attachment 189021 [details] [diff] [review]

Yet another nit-picky ECMA thing to get right with a spot fix.

Comment 9 User image Brendan Eich [:brendan] 2005-07-13 17:56:34 PDT

Comment 10 User image Bob Clary [:bc:] 2005-09-18 16:40:27 PDT
Checking in regress-292215.js;
/cvsroot/mozilla/js/tests/js1_5/Function/regress-292215.js,v  <--  regress-292215.js
initial revision: 1.1
Comment 11 User image Bob Clary [:bc:] 2006-04-09 20:22:53 PDT
verified fixed on trunk and 1.8.x branches.

Note You need to log in before you can comment on or make changes to this bug.