Closed Bug 320032 Opened 19 years ago Closed 19 years ago

Parenthesization dereferences ECMA Reference type, incorrectly

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: brendan, Assigned: brendan)

References

(
URL
)

Details

(Keywords: js1.6, verified1.8.0.1, verified1.8.1)

Attachments

(1 file)

proposed fix
4.93 KB, patch
mrbkap
: review+
shaver
: superreview+
dveditz
: approval1.8.0.1+
dveditz
: approval1.8.1+
Details | Diff | Splinter Review 
See bug 41864, where assignment's dereferencing of RHS Reference was incorrectly fixed by dereferencing under the new-in-that-bug's-fix JSOP_GROUP bytecode.  This may be ugly to fix, since SpiderMonkey does not use a Reference type internally, rather it compiles out all cases that need to store through a Reference using "lvalue"-specialized bytecodes.

/be
(RHS == Right Hand Side, i.e., "rvalue")
Checking in regress-320032.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-320032.js,v  <--  regress-320032.js
initial revision: 1.1
Flags: testcase+
Blocks: js1.6rc1
Status: NEW → ASSIGNED
Keywords: js1.6
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Attached patch proposed fixSplinter Review 
Passes the testsuite using the js shell.

/be
Attachment #206876 - Flags: superreview?(shaver)
Attachment #206876 - Flags: review?(mrbkap)
Minimal testcase, interactive session witnessing:

js> function f(){return this}
js> o = {}
[object Object]
js> (o.m = f)()
[object global]
js> (o.m)()
[object Object]

With this bug unpatched, the last line would be [object global] too.

/be
Flags: testcase+ → testcase?
Comment on attachment 206876 [details] [diff] [review]
proposed fix

r=mrbkap
Attachment #206876 - Flags: review?(mrbkap) → review+
Checked into trunk for baking.

/be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Flags: testcase?
Flags: testcase+
Flags: blocking1.8.0.1?
Resolution: --- → FIXED
verified windows/linux/mac trunk
Status: RESOLVED → VERIFIED
Comment on attachment 206876 [details] [diff] [review]
proposed fix

sr=shaver, though I wish I were more confident that I had checked all the places that now want a nulling of obj.
Attachment #206876 - Flags: superreview?(shaver) → superreview+
shaver: it's easy, just grep for JOF_ASSIGNING in jsopcode.tbl to get this set:

setconst setprop setelem setarg setvar bindname setname enumelem setcall setgvar bindxmlname setxmlname

and eliminate all ops that do not result in an expression value (setconst bindname enumelem bindxmlname).  Note also that read/write ops such as JSOP_FORPROP and JSOP_INCPROP, which flip JSFRAME_ASSIGNING, either do not result in an expression value (the JSOP_FOR* ops) or are guaranteed to result in a non-callable value (the increment ops).

It might be beneficial to refactor bytecode into read- and write-only ops, and get rid of JSFRAME_ASSIGNING.  This is on my radar, I'll wiki about it and other steps toward a better VM.

/be
Comment on attachment 206876 [details] [diff] [review]
proposed fix

a=dveditz for drivers
Attachment #206876 - Flags: approval1.8.1+
Attachment #206876 - Flags: approval1.8.0.1+
Flags: blocking1.8.0.1? → blocking1.8.0.1+
Fixed on branches.

/be
Keywords: fixed1.8.0.1, fixed1.8.1
v 2006-01-11 1.8.0.1, 1.8.1, trunk on windows/linux/mac
Keywords: fixed1.8.0.1, fixed1.8.1verified1.8.0.1, verified1.8.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: