Closed Bug 375794 Opened 17 years ago Closed 17 years ago

Incorrect decompilation with array comprehension in catchguard

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9alpha5

People

(Reporter: jruderman, Assigned: brendan)

References

Details

(Keywords: regression, testcase)

Attachments

(1 file, 2 obsolete files)

patch I committed
6.94 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
"c" becomes "[]":

js> function() { try { } catch(a if [b for each (c in [])]) { } } 
function () {
    try {
    } catch (a if [b for each ([] in [])]) {
    }
}

I think this also causes
Assertion failure: (uintN)i < ss->top, at jsopcode.c:2483
Keywords: regression
Severity: normal → critical
Did the fix for bug 351102 cause this bug? In any event, the decompiler stack is not being managed to include the necessary slot for the exception.

/be
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Mac OS X → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9alpha5
Attached patch fix (obsolete) — Splinter Review 
Should be self-explanatory. Variation on the case shows the need for conditioning in JSOP_LEAVEBLOCK:

function() { try { } catch(a if [b for each (c in [])]) { print(a) } catch (e) { print(e) }}

/be
Attachment #263378 - Flags: review?(igor)
Comment on attachment 263378 [details] [diff] [review]
fix

>Index: jsopcode.c
>===================================================================
>RCS file: /cvsroot/mozilla/js/src/jsopcode.c,v
>retrieving revision 3.228
>diff -p -u -8 -r3.228 jsopcode.c
>--- jsopcode.c	1 May 2007 18:07:44 -0000	3.228
>+++ jsopcode.c	1 May 2007 19:08:09 -0000
>@@ -2426,44 +2426,57 @@ Decompile(SprintStack *ss, jsbytecode *p
>                   case SRC_CATCH:
...
>                     if (*pc == JSOP_DUP) {
>                         sn2 = js_GetSrcNote(jp->script, pc);
>                         if (sn2 && SN_TYPE(sn2) == SRC_HIDDEN) {
>                             /*
>                              * This is a hidden dup to save the exception for
>-                             * later. It must exist only when the catch has
>-                             * an exception guard.
>+                             * later. It is emitted only when the catch has an
>+                             * exception guard.
>                              */

As I understand, the decompiler has to model the stack precisely as the interpreter does for asserts and stack calculations based on jsopcode.tbl to work. So this dup is not hidden, but rather very visible! Thus I suggest to remove the hidden node from the guarded catch dup and rather annotate the following one with SRC_DESTRUCT.

Otherwise it seems OK.
Attached patch fix, v2 (obsolete) — Splinter Review 
Good point, thanks.

/be
Attachment #263378 - Attachment is obsolete: true
Attachment #263414 - Flags: review?(igor)
Attachment #263378 - Flags: review?(igor)
Attachment #263414 - Flags: review?(igor) → review+
Fixed on trunk:

js/src/jsemit.c 3.246
js/src/jsopcode.c 3.229

/be
Blocks: js1.7src
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Fixed a recent unpicked whitespace nit in jsopcode.c.

/be
Attachment #263414 - Attachment is obsolete: true
Attachment #263441 - Flags: review+
/cvsroot/mozilla/js/tests/js1_7/decompilation/regress-375794.js,v  <--  regress-375794.js
initial revision: 1.1
Flags: in-testsuite+
Depends on: 379483
verified fixed 1.9.0 linux/mac* 2007-05-05 shell.
Status: RESOLVED → VERIFIED
Depends on: 379860
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: