Closed Bug 310425 Opened 20 years ago Closed 20 years ago

Array.indexOf/lastIndexOf is broken for corner cases

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta5

People

(Reporter: igor, Assigned: brendan)

References

(
URL
)

Details

(Keywords: fixed1.8, js1.6, Whiteboard: [needs SR shaver])

Attachments

(6 files, 1 obsolete file)

Fix
5.31 KB, patch
Details | Diff | Splinter Review
based on igor's patch, consolidates IndexToId|PropertyExists
18.52 KB, patch
Details | Diff | Splinter Review
diff -w version of last patch
15.76 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review
interdiff against attachment 197832
444 bytes, patch
brendan
: review+
shaver
: superreview+
Details | Diff | Splinter Review
final patch in full
19.19 KB, patch
brendan
: review+
brendan
: superreview+
mscott
: approval1.8b5+
Details | Diff | Splinter Review
fix my blunder
1.26 KB, patch
igor
: review+
mrbkap
: review+
shaver
: superreview+
asa
: approval1.8rc1+
Details | Diff | Splinter Review
The current implementation of Array.indexOf/ Array.lastIndexOf has the following 2 issues: 1. [].lastIndexOf(undefined, -1) gives 0 instead of -1. This is due to lastIndexOf implementation always querying array[0] for negative indexes even if length is 0. 2. var x = []; x[1 << 30] = 1; var index = x.lastIndexOf(1); sets index to undefined, not 1 << 30, since code assumes that array index would always fit JSVAL_INT_MAX. Thus it would return INT_TO_JSVAL(1 << 30) which is JSVAL_VOID. Similar problem holds for indexOf but it would really long time to run x.indexOf() since the code would loop through 1 << 30 non-existing elements.
Thanks for filing this -- not sure shaver is able to jump on it. I'm in Tallinn, Estonia for ACM ICFP, but may take a crack at fixing it. /be
Flags: blocking1.8b5+
Keywords: js1.6
OS: Linux → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.8beta5
Attached patch FixSplinter Review
Patch consolidates indexOf/lastIndexOf implementation into single array_indexOfHelper which immediately returns -1 for array with length 0. Otherwise it runs the search loop that would properly wrap found index into JSVAL.
Also cleans up a few minor things from the old days. Just to cut down on code size a bit more, use js_NewNumberValue in array_indexOfHelper. /be
This should be good for 1.8b5 with a little review and testing (someone run the testsuite, my battery's low here!). /be
Attachment #197834 - Flags: superreview?(shaver)
Attachment #197834 - Flags: review?(mrbkap)
Thanks again, Igor! You helping Norris get these implemented in Rhino, by any chance? ;-) /be
(In reply to comment #5) > You helping Norris get these implemented in Rhino, by any chance? ;-) This was how I discovered the bug trying to get semantics of the extras from jsarray.c to copy it into bug 310323 and bug 310342.
(In reply to comment #3) > Also cleans up a few minor things from the old days. Just to cut down on code > size a bit more, use js_NewNumberValue in array_indexOfHelper. But should then foreach and friend also skip over non-existing indexes for consistency with the rest of code? It would also speedup that Array(UINT_MAX).forEach(...) from bug 310405.
Yes, I think we do want to be consistent here. indexOf and lastIndexOf aren't explicitly specified here, but the docs for forEach say that the array is treated as "dense": http://developer.mozilla.org/en/docs/Core_JavaScript_1.5_Reference:Global_Objects:Array:forEach#Description I'm happy to rev that, though it's late in the game to get that into Firefox 1.5.
Comment on attachment 197834 [details] [diff] [review] diff -w version of last patch Very cool. r=mrbkap
Attachment #197834 - Flags: review?(mrbkap) → review+
we need to get that super-review here if it's going to make 1.5.
Whiteboard: [needs SR shaver]
Add hole test to array_extra. /be
Attachment #198186 - Flags: superreview?(shaver)
Attachment #198186 - Flags: review+
Comment on attachment 198186 [details] [diff] [review] interdiff against attachment 197832 [details] [diff] [review] sr=shaver, thanks.
Attachment #198186 - Flags: superreview?(shaver) → superreview+
Asa, we're doing extra reviews voluntarily, js/src requires only one level. I just checked this patch into the trunk. It should go into the 1.8 branch ASAP. /be
Assignee: general → brendan
Attachment #198187 - Flags: superreview+
Attachment #198187 - Flags: review+
Attachment #198187 - Flags: approval1.8b5?
Comment on attachment 198187 [details] [diff] [review] final patch in full approving for the branch.
Attachment #198187 - Flags: approval1.8b5? → approval1.8b5+
Fixed on the 1.8 branch too -- thanks. /be
Status: NEW → RESOLVED
Closed: 20 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
Attachment #197834 - Flags: superreview?(shaver)
Depends on: 311082
The committed "fix" added infinite loop bug for any array with holes like in Array(1).indexOf(1) oo was not in the attachment 197826 [details] [diff] [review] ;)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch followup iloop fix -w (obsolete) — Splinter Review
I don't know if Igor was going to attach a fix, but this does the trick.
Attachment #198856 - Flags: review?(brendan)
Attached patch fix my blunderSplinter Review
Sorry about that, stupid mistake. /be
Attachment #198857 - Flags: superreview?(shaver)
Attachment #198857 - Flags: review?(igor3)
Attachment #198857 - Flags: approval1.8rc1?
mrbkap, sorry -- no IRC connection here, didn't know you were patching too. I restored the better loop structure Igor's original patch used, so I'd rather go with that. Feel free to review too. /be
Status: REOPENED → ASSIGNED
Flags: blocking1.8rc1+
Need more testsuite coverage, obviously. And need a new brain, mine's worn out! /be
Flags: testcase?
Comment on attachment 198857 [details] [diff] [review] fix my blunder Our patches are actually equivilant, with yours simply moving the incrementing condition out of the loop header... It's a matter of style at this point.
Attachment #198857 - Flags: review+
(In reply to comment #22) > (From update of attachment 198857 [details] [diff] [review] [edit]) > Our patches are actually equivilant, with yours simply moving the incrementing > condition out of the loop header... It's a matter of style at this point. Yeah, that's what I said ("better loop structure"). Igor's style wins. If you can't put something in most parts of for (;;), it's better to put nothing in any part. Or so I always say! (I think ken and dmr agree... ;-) /be
Attachment #198856 - Attachment is obsolete: true
Attachment #198856 - Flags: review?(brendan)
Attachment #198857 - Flags: review?(igor3) → review?(igor.bukanov)
Fixed on trunk (r=mrbkap suffices). Happy to get extra reviewe, but mrbkap's should suffice for the branch too. This bug should be fixed for 1.8 / Firefox 1.5. /be
Fixed on trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 20 years ago20 years ago
Resolution: --- → FIXED
Attachment #198857 - Flags: review?(igor.bukanov) → review+
Checking in regress-310425-01.js; /cvsroot/mozilla/js/tests/js1_6/Array/regress-310425-01.js,v <-- regress-310425-01.js initial revision: 1.1 done RCS file: /cvsroot/mozilla/js/tests/js1_6/Array/regress-310425-02.js,v done Checking in regress-310425-02.js; /cvsroot/mozilla/js/tests/js1_6/Array/regress-310425-02.js,v <-- regress-310425-02.js initial revision: 1.1 done
Flags: testcase? → testcase+
Attachment #198857 - Flags: approval1.8rc1? → approval1.8rc1+
Oops, added fixed1.8 prematurely(!). Fixed on the branch now. /be
Patch caused bug 315509, in spite of review and testsuite. Sorry about that. /be
(In reply to comment #28) > Patch caused bug 315509, in spite of review and testsuite. Sorry about that. > > /be > If one passes -O3 to GCC, then it prints: jsarray.c: In function ‘array_unshift’: jsarray.c:1117: warning: ‘id2’ may be used uninitialized in this function Unfortunately -O or even -O2/-Os is not enough to trigger this warning with GCC 4.0.1 :(
Comment on attachment 198857 [details] [diff] [review] fix my blunder sr=shaver, too late to matter.
Attachment #198857 - Flags: superreview?(shaver) → superreview+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: