Closed
Bug 320032
Opened 19 years ago
Closed 19 years ago
Parenthesization dereferences ECMA Reference type, incorrectly
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: brendan, Assigned: brendan)
References
()
Details
(Keywords: js1.6, verified1.8.0.1, verified1.8.1)
Attachments
(1 file)
4.93 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
dveditz
:
approval1.8.0.1+
dveditz
:
approval1.8.1+
|
Details | Diff | Splinter Review |
See bug 41864, where assignment's dereferencing of RHS Reference was incorrectly fixed by dereferencing under the new-in-that-bug's-fix JSOP_GROUP bytecode. This may be ugly to fix, since SpiderMonkey does not use a Reference type internally, rather it compiles out all cases that need to store through a Reference using "lvalue"-specialized bytecodes. /be
Assignee | ||
Comment 1•19 years ago
|
||
(RHS == Right Hand Side, i.e., "rvalue")
Comment 2•19 years ago
|
||
Checking in regress-320032.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-320032.js,v <-- regress-320032.js initial revision: 1.1
Flags: testcase+
Assignee | ||
Updated•19 years ago
|
Assignee | ||
Comment 3•19 years ago
|
||
Passes the testsuite using the js shell. /be
Attachment #206876 -
Flags: superreview?(shaver)
Attachment #206876 -
Flags: review?(mrbkap)
Assignee | ||
Comment 4•19 years ago
|
||
Minimal testcase, interactive session witnessing: js> function f(){return this} js> o = {} [object Object] js> (o.m = f)() [object global] js> (o.m)() [object Object] With this bug unpatched, the last line would be [object global] too. /be
Updated•19 years ago
|
Flags: testcase+ → testcase?
Comment 5•19 years ago
|
||
Comment on attachment 206876 [details] [diff] [review] proposed fix r=mrbkap
Attachment #206876 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 6•19 years ago
|
||
Checked into trunk for baking. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: testcase?
Flags: testcase+
Flags: blocking1.8.0.1?
Resolution: --- → FIXED
Comment on attachment 206876 [details] [diff] [review] proposed fix sr=shaver, though I wish I were more confident that I had checked all the places that now want a nulling of obj.
Attachment #206876 -
Flags: superreview?(shaver) → superreview+
Assignee | ||
Comment 9•19 years ago
|
||
shaver: it's easy, just grep for JOF_ASSIGNING in jsopcode.tbl to get this set: setconst setprop setelem setarg setvar bindname setname enumelem setcall setgvar bindxmlname setxmlname and eliminate all ops that do not result in an expression value (setconst bindname enumelem bindxmlname). Note also that read/write ops such as JSOP_FORPROP and JSOP_INCPROP, which flip JSFRAME_ASSIGNING, either do not result in an expression value (the JSOP_FOR* ops) or are guaranteed to result in a non-callable value (the increment ops). It might be beneficial to refactor bytecode into read- and write-only ops, and get rid of JSFRAME_ASSIGNING. This is on my radar, I'll wiki about it and other steps toward a better VM. /be
Comment 10•19 years ago
|
||
Comment on attachment 206876 [details] [diff] [review] proposed fix a=dveditz for drivers
Attachment #206876 -
Flags: approval1.8.1+
Attachment #206876 -
Flags: approval1.8.0.1+
Updated•19 years ago
|
Flags: blocking1.8.0.1? → blocking1.8.0.1+
You need to log in
before you can comment on or make changes to this bug.
Description
•