Closed Bug 361274 Opened 18 years ago Closed 18 years ago

embedded nulls in Javascript object property names not allowed?

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha1

People

(Reporter: jmsachs, Assigned: brendan)

References

Details

(Keywords: verified1.8.0.9, verified1.8.1.1)

Attachments

(2 files)

fix
2.43 KB, patch
mrbkap
: review+
jay
: approval1.8.1.1+
Details | Diff | Splinter Review
fix merged to 1.8.0 branch
2.62 KB, patch
brendan
: review+
jay
: approval1.8.0.9+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0

As I mentioned in the newsgroups:

http://groups.google.com/group/mozilla.dev.tech.js-engine/browse_thread/thread/f7cd724599385b28/3b2fb62f4c332d8d

<script language=javascript>
x='123'+'\0'+'456';
y='123'+'\0'+'789';
a={};
a[x]=1;
a[y]=2;
s='(x==y): '+(x==y)+'\na[x]: '+a[x]+'\na[y]: '+a[y]+'\na["123"]:
'+a["123"];
alert(s);
</script>

On Mozilla (and in JSDB which also uses Spidermonkey) this prints
(x==y): false
a[x]: 2
a[y]: 2
a["123"]: 2

It appears object indices use a different equality metric than
Javascript's string equality operator "==", namely that Javascript
strings have an overall length and don't just stop at an embedded null
character, whereas object indices seem to stop at an embedded null.

Is this behavior documented somewhere (and is it intentional or a bug)?

I realize this is a kind of obscure case, but it is possible to use strings with embedded nulls... e.g. perhaps if I am reading in binary data from a file and using that as a key into a lookup table.

Reproducible: Always
Attached patch fixSplinter Review 
Old bug, biting only property identifiers that start with a (positive or negative) number that could fit in a tagged integer.  Thanks for finding it.

/be
Assignee: general → brendan
Status: UNCONFIRMED → ASSIGNED
Attachment #246056 - Flags: review?(mrbkap)
Attachment #246056 - Flags: review?(mrbkap) → review+
Fixed on trunk:

Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.302; previous revision: 3.301
done

This is actually a fairly bad standards conformance bug, in my view.  You can't count on mapping arbitrary strings to values using objects, while JS back to Netscape 2 (JavaScript 1.0) and ECMA say you can do that, and you should be able to, respectively.  IIRC this broke in the Mozilla world; not sure about Netscape 4, but IE and others get it right AFAIK.

/be
Blocks: js1.7src
Severity: minor → major
Flags: blocking1.8.1.1?
Flags: blocking1.8.0.9?
OS: Windows 2000 → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Checking in regress-361274.js;
/cvsroot/mozilla/js/tests/ecma_3/Object/regress-361274.js,v  <--  regress-361274.js
initial revision: 1.1
done
Flags: in-testsuite+
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
Brendan: Is the patch in this bug good for both branches?  Please submit separate patches if needed and ask for checkin approval...I can then + them for landing.  Thanks!
Comment on attachment 246056 [details] [diff] [review]
fix

This applies cleanly to the 1.8 branch, as expected. New patch for 1.8.0 next.

/be
Attachment #246056 - Flags: approval1.8.1.1?

        Attachment #246190 -
        Flags: review+

        Attachment #246190 -
        Flags: approval1.8.0.9?

    
    

    
  
Comment on attachment 246056 [details] [diff] [review]
fix

Approved for 1.8.1 branch, a=jay for drivers.

        Attachment #246056 -
        Flags: approval1.8.1.1? → approval1.8.1.1+

    
    

    
  
Comment on attachment 246190 [details] [diff] [review]
fix merged to 1.8.0 branch

Approved for 1.8.0 branch, a=jay for drivers.

        Attachment #246190 -
        Flags: approval1.8.0.9? → approval1.8.0.9+

    
    

    
  
Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.40; previous revision: 3.208.2.39
done

Checking in jsobj.c;
/cvsroot/mozilla/js/src/jsobj.c,v  <--  jsobj.c
new revision: 3.208.2.12.2.17; previous revision: 3.208.2.12.2.16
done

/be
Keywords: fixed1.8.0.9, 
          
            fixed1.8.1.1

    
    

    
  
verified fixed 20061122 1.8.1.1 windows/linux/mac*, 1.9 windows/linux
Status: RESOLVED → VERIFIED
Keywords: fixed1.8.0.9, 
          
            fixed1.8.1.1verified1.8.0.9, 
          
            verified1.8.1.1

    
    

    
  
oops, forgot to say verified fixed 20061122 1.8.0.9 windows/linux/mac*

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: