Closed Bug 350670 Opened 18 years ago Closed 18 years ago

Incorrect decompilation of "for(z() in x)"

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.8.1

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: regression, testcase, verified1.8.1)

Attachments

(1 file, 1 obsolete file)

better fix
3.14 KB, patch
mrbkap
: review+
beltzner
: approval1.8.1+
Details | Diff | Splinter Review 
> function() { for(z() in x) { } }
function () { for (z()[()] in x) { } }

> function() { for(z(12345678) in x) { } }
function () { for (z(12345678)[8)] in x) { } }

I'm guessing the fact that "for (z() in x)" compiles at all has something to do with JS_HAS_LVALUE_RETURN.
Regression from 1.8.0 due to first big wave of js1.7 changes.

Great to have the decompiler fuzzer, for coverage!

/be
Blocks: js1.7
Keywords: regression
OS: Mac OS X 10.4 → All
Hardware: Macintosh → All
Attached patch fix (obsolete) — Splinter Review 
The decompiler has always required saving strings popped from the sprinter's buffer in the malloc heap, unless an all-in-one Sprint is extending the buffer on top of the popped strings (in which case, Sprint's internal buffer is used to hold the output string as it's formatted, saving the input strings from being overwritten).  The js1.7 changes neglected to save xval at the top of the do_forinhead: code.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
Attachment #236126 - Flags: review?(mrbkap)
Attached patch better fixSplinter Review 
Thanks to mrbkap for prodding.

/be
Attachment #236126 - Attachment is obsolete: true
Attachment #236132 - Flags: review?(mrbkap)
Attachment #236126 - Flags: review?(mrbkap)
Attachment #236132 - Flags: review?(mrbkap) → review+
Fixed on trunk.

/be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1?
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8.1
Comment on attachment 236132 [details] [diff] [review]
better fix

This is a safe spot fix, local variables and short live ranges are the only things to analyze.  The diff has two hunks, but they are adjacent and the only early returns are in the atom-not-null case, which is disjoint from the xval case as the if-else-if structure shows.

/be
Attachment #236132 - Flags: approval1.8.1?
Checking in regress-350670.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-350670.js,v  <--  regress-350670.js
initial revision: 1.1
Flags: in-testsuite+
I screwed up the test this morning.
Checking in regress-350670.js;
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-350670.js,v  <--  regress-350670.js
new revision: 1.2; previous revision: 1.1

verified fixed 1.9 20060831 window/mac*/linux
Status: RESOLVED → VERIFIED
Comment on attachment 236132 [details] [diff] [review]
better fix

a=beltzner on behalf of 181drivers
Attachment #236132 - Flags: approval1.8.1? → approval1.8.1+
Fixed on the 1.8 branch.

/be
Keywords: fixed1.8.1
Fixed on the 1.8 branch.

/be
verified fixed 1.8 2006090118 windows/mac*/linux
Keywords: fixed1.8.1verified1.8.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: