Closed
Bug 321971
Opened 19 years ago
Closed 19 years ago
JSOP_FINDNAME replaces JSOP_BINDNAME, does not prefix it
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha1
People
(Reporter: brendan, Assigned: brendan)
References
()
Details
(Keywords: js1.6, verified1.8.0.1, verified1.8.1)
Attachments
(2 files)
2.58 KB,
patch
|
mrbkap
:
review+
shaver
:
superreview+
dveditz
:
approval1.8.0.1+
dveditz
:
approval1.8.1+
|
Details | Diff | Splinter Review |
2.14 KB,
patch
|
Details | Diff | Splinter Review |
In the fix for bug 155081, I missed the case in the summary. This results in a JSOP_BINDNAME being emitted without its immmediate operand (which is the desired format when prefixed by JSOP_LITOPX, but that's not applicable to this case), when it should not be emitted at all. Trivial patch next. /be
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Flags: blocking1.8.1+
Flags: blocking1.8.0.1+
Priority: -- → P1
Assignee | ||
Comment 1•19 years ago
|
||
Trivial given diff -w coming next. Review that, stamp this. /be
Attachment #207240 -
Flags: superreview?(shaver)
Attachment #207240 -
Flags: review?(mrbkap)
Assignee | ||
Comment 2•19 years ago
|
||
Assignee | ||
Comment 3•19 years ago
|
||
IOW, there are JOF_NAME and JOF_PROP formats that look like op, <16-bit-atom-index> and these are converted to xop, either JSOP_FINDNAME (for JOF_NAME format) or JSOP_LITERAL (for JOF_PROP), followed by the JOF_ELEM counterpart to op, eop: xop, <24-bit-atom-index>, eop An element op eop takes all operands from the stack, where they are [obj, id] for gets and [obj, id, val] for sets except for JSOP_ENUMELEM, which has [val, obj, id] (no JOF_NAME or JOF_PROP format converts to JSOP_ENUMELEM on 16-bit immediate overflow, note well). But JSOP_BINDNAME (a JOF_NAME format, as its name implies) always precedes the right-hand-side evaluation, in order to compute the Reference base (the obj in [obj, id] where id comes from a 16-bit immediate) on the stack in advance of side-effects to the scope chain that might arise in the RHS evaluation. Then a JSOP_SETNAME finds that obj stacked under the rvalue, and uses its own 16-bit immediate atom index to get the id to compute [obj, id] and actually set the property. When the 16-bit immediate is not big enough, we don't want to turn JSOP_BINDNAME and JSOP_SETNAME into extended forms, because JSOP_FINDNAME *replaces* BINDNAME and pushes both [obj, id] at once. The JSOP_SETNAME converts to JSOP_SETELEM after the RHS evaluation, so it needs no prefixing (no immediates to extend). Hope this helps. /be
Comment on attachment 207240 [details] [diff] [review] fix sr=shaver
Attachment #207240 -
Flags: superreview?(shaver) → superreview+
Assignee | ||
Comment 5•19 years ago
|
||
Comment on attachment 207240 [details] [diff] [review] fix Checked into trunk (SpiderMonkey is still single-review), but I want mrbkap's r+ before nominating for the branches. /be
Comment 6•19 years ago
|
||
Comment on attachment 207240 [details] [diff] [review] fix r=mrbkap
Attachment #207240 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 7•19 years ago
|
||
Comment on attachment 207240 [details] [diff] [review] fix This is a local, safe fix for a bug that can result in garbage bytecodes being interpreted. The number of bytecodes is limited to 2, and they can't have arbitrary effects, so I don't see a security hazard (yet). Given the local and minimal (look at the diff -w) properties of the patch, and the argument in comment 3, I think we are better off taking this and not worrying about exploitability. /be
Attachment #207240 -
Flags: approval1.8.1?
Attachment #207240 -
Flags: approval1.8.0.1?
Comment 8•19 years ago
|
||
Comment on attachment 207240 [details] [diff] [review] fix a=dveditz for drivers. Please mark FIXED (it's on the trunk) and add the fixed1.8.1 and fixed1.8.0.1 keywords when it's checked into those branches
Attachment #207240 -
Flags: approval1.8.1?
Attachment #207240 -
Flags: approval1.8.1+
Attachment #207240 -
Flags: approval1.8.0.1?
Attachment #207240 -
Flags: approval1.8.0.1+
Assignee | ||
Comment 9•19 years ago
|
||
Fixed on branches. /be
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.0.1,
fixed1.8.1
Resolution: --- → FIXED
Comment 10•19 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-321971.js,v <-- regress-321971.js
Flags: testcase+
Assignee | ||
Updated•18 years ago
|
Keywords: fixed1.8.1
Updated•18 years ago
|
Keywords: fixed1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•