Closed Bug 33391 Opened 24 years ago Closed 24 years ago

arguments.callee broken for joined function objects

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: brendan, Assigned: brendan)

References

(
URL
)

Details

(Keywords: js1.5)

Attachments

(6 files)

proposed fix
3.03 KB, patch
Details | Diff | Splinter Review
proposed further fix for argv-copying js_Invoke hard case
1.21 KB, patch
Details | Diff | Splinter Review
my hasty JS_ASSERT was the shits; better jsinterp.c patch
1.43 KB, patch
Details | Diff | Splinter Review
good grief! another old, very rare bug in this hard case
1.62 KB, patch
Details | Diff | Splinter Review
add assertion to last patch's change from previous patch
1.68 KB, patch
Details | Diff | Splinter Review
Ok, this is it! the final patch, thanks to jband
1.86 KB, patch
Details | Diff | Splinter Review 
See the news thread for test case and diagnosis.  Patch coming up.

/be
This is a backward incompatibility.  It should be fixed for js1.5.

/be
Keywords: js1.5
Attached patch proposed fixSplinter Review 

    
    

    
  
Adding tvollmer@hyperwave.com -- Till, can you try the attached patch and see 
whether it helps your multi-threaded function prototype object problems?  
Thanks,

/be

    
    

    
  
Further patch to jsinterp.c coming up -- it turns out that fp->argv may be
non-null but fp->argv[-2] is not valid, in the unlikely case that not enough
actual args were passed to a function, *and* the stack arena in which those
arguments were pushed as operands of JSOP_CALL or JSOP_NEW does not contain
enough contiguous space for the missing args and "extra" (local GC root) stack
slots needed by the function.  In that case, js_Invoke copies the args, but not
argv[-2] or argv[-1].  D'oh!

Norris, I think this accounts for the erratic fp->argv[-2] behavior you saw when
testing your first patch for http://bugzilla.mozilla.org/show_bug.cgi?id=34364
(although I don't see why qualifying the fp->argv non-null test with fp->fun
would help).  Otherwise, inspection of js/src/*.c grepping for 'argv = ' finds
no way for argv to be set such that argv[-2] would not be the callee object.

/be
Assignee: rogerl → brendan

    
    

    
  
Adding jband, my best code-buddy lately.

/be
Status: NEW → ASSIGNED

    
    

    
  
If it's guaranteed to be contiguous, why didn't I assert?  Urgh, revised final
patch coming right up.

/be

    
    

    
  
The next-to-last patch was flailing hard, trying to get back the surplus slots
it gave up in the vain hope of avoiding allocating a new arena.  The final patch
doesn't even mess with surplus measurement if the call needs more contiguous
argv space than fits in the current arena.

/be

    
    

    
  
Need a test-case, generated JS with functions having 1..largeN stack depth and
1..largeM parameters, called with missing actual args!

/be
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: