Closed
Bug 350670
Opened 18 years ago
Closed 18 years ago
Incorrect decompilation of "for(z() in x)"
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.8.1
People
(Reporter: jruderman, Assigned: brendan)
References
Details
(Keywords: regression, testcase, verified1.8.1)
Attachments
(1 file, 1 obsolete file)
3.14 KB,
patch
|
mrbkap
:
review+
beltzner
:
approval1.8.1+
|
Details | Diff | Splinter Review |
> function() { for(z() in x) { } } function () { for (z()[()] in x) { } } > function() { for(z(12345678) in x) { } } function () { for (z(12345678)[8)] in x) { } } I'm guessing the fact that "for (z() in x)" compiles at all has something to do with JS_HAS_LVALUE_RETURN.
Assignee | ||
Comment 1•18 years ago
|
||
Regression from 1.8.0 due to first big wave of js1.7 changes. Great to have the decompiler fuzzer, for coverage! /be
Assignee | ||
Comment 2•18 years ago
|
||
The decompiler has always required saving strings popped from the sprinter's buffer in the malloc heap, unless an all-in-one Sprint is extending the buffer on top of the popped strings (in which case, Sprint's internal buffer is used to hold the output string as it's formatted, saving the input strings from being overwritten). The js1.7 changes neglected to save xval at the top of the do_forinhead: code. /be
Assignee | ||
Comment 3•18 years ago
|
||
Thanks to mrbkap for prodding. /be
Attachment #236126 -
Attachment is obsolete: true
Attachment #236132 -
Flags: review?(mrbkap)
Attachment #236126 -
Flags: review?(mrbkap)
Updated•18 years ago
|
Attachment #236132 -
Flags: review?(mrbkap) → review+
Assignee | ||
Comment 4•18 years ago
|
||
Fixed on trunk. /be
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Flags: blocking1.8.1?
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.8.1
Assignee | ||
Comment 5•18 years ago
|
||
Comment on attachment 236132 [details] [diff] [review] better fix This is a safe spot fix, local variables and short live ranges are the only things to analyze. The diff has two hunks, but they are adjacent and the only early returns are in the atom-not-null case, which is disjoint from the xval case as the if-else-if structure shows. /be
Attachment #236132 -
Flags: approval1.8.1?
Comment 6•18 years ago
|
||
Checking in regress-350670.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-350670.js,v <-- regress-350670.js initial revision: 1.1
Flags: in-testsuite+
Comment 7•18 years ago
|
||
I screwed up the test this morning. Checking in regress-350670.js; /cvsroot/mozilla/js/tests/js1_5/Regress/regress-350670.js,v <-- regress-350670.js new revision: 1.2; previous revision: 1.1 verified fixed 1.9 20060831 window/mac*/linux
Status: RESOLVED → VERIFIED
Comment 8•18 years ago
|
||
Comment on attachment 236132 [details] [diff] [review] better fix a=beltzner on behalf of 181drivers
Attachment #236132 -
Flags: approval1.8.1? → approval1.8.1+
Assignee | ||
Comment 10•18 years ago
|
||
Fixed on the 1.8 branch. /be
Comment 11•18 years ago
|
||
verified fixed 1.8 2006090118 windows/mac*/linux
Keywords: fixed1.8.1 → verified1.8.1
You need to log in
before you can comment on or make changes to this bug.
Description
•