Closed
Bug 379482
Opened 17 years ago
Closed 17 years ago
Crash [@ js_IsIdentifier] decompiling float setter
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla1.9alpha5
People
(Reporter: jruderman, Assigned: crowderbt)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [sg:critical?] post-1.9a4)
Crash Data
Attachments
(2 files)
|
1.40 KB,
patch
|
brendan
:
review+
igor
:
review+
|
Details | Diff | Splinter Review |
|
1.37 KB,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
js> function() { ({ 1.1 setter: 2 }) }
Segmentation fault
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_INVALID_ADDRESS (0x0001) at 0x3ff19999
Thread 0 Crashed:
0 js 0x000b4a01 js_IsIdentifier + 235 (jsscan.c:164)
1 js 0x00094127 Decompile + 38716 (jsopcode.c:3959)
2 js 0x000954d2 js_DecompileCode + 492 (jsopcode.c:4318)
3 js 0x00095e8b js_DecompileFunction + 1891 (jsopcode.c:4516)
4 js 0x0001aa36 JS_DecompileFunction + 84 (jsapi.c:4668)
5 js 0x000503db js_fun_toString + 494 (jsfun.c:1528)
6 js 0x0005043f fun_toString + 53 (jsfun.c:1539)
7 js 0x00059269 js_Invoke + 2945 (jsinterp.c:1332)
8 js 0x0005968c js_InternalInvoke + 309 (jsinterp.c:1426)
9 js 0x000854f0 js_TryMethod + 346 (jsobj.c:4633)
10 js 0x00083f24 js_DefaultValue + 143 (jsobj.c:3924)
11 js 0x000c7550 js_ValueToString + 98 (jsstr.c:2656)
12 js 0x00008bc3 JS_ValueToString + 24 (jsapi.c:543)
13 js 0x00002197 Process + 949 (js.c:270)
14 js 0x00002b7b ProcessArgs + 2045 (js.c:519)
15 js 0x00007a40 main + 612 (js.c:3237)
16 js 0x00001c86 _start + 216
17 js 0x00001bad start + 41
|
Reporter | |
Updated•17 years ago
|
Flags: blocking1.9?
Whiteboard: [sg:critical?] post-1.9a4
|
Assignee | |
Comment 1•17 years ago
|
||
This bug did not exist before the code in bug 356083 landed?
|
|
Assignee | |
Comment 2•17 years ago
|
||
|
||
Comment 3•17 years ago
|
||
Comment on attachment 263510 [details] [diff] [review] not all atoms are strings, crowder Aren't keywords allowed now in property id contexts? Asking igor for second review. /be
Attachment #263510 -
Flags: review?(igor)
Attachment #263510 -
Flags: review?(brendan)
Attachment #263510 -
Flags: review+
|
||
Comment 4•17 years ago
|
||
(In reply to comment #3) > (From update of attachment 263510 [details] [diff] [review]) > Aren't keywords allowed now in property id contexts? Asking igor for second > review. The are not allowed after get/set: js> var x = { get in1() { return 10; } } js> var x = { get in() { return 10; } } typein:4: SyntaxError: missing : after property id: typein:4: var x = { get in() { return 10; } } typein:4: ..............^ I consider this is a bug since keywords is allowed as function names and AFAICS supporting get keyword should not be a pronlem.
|
|
||
Updated•17 years ago
|
Attachment #263510 -
Flags: review?(igor) → review+
|
|
Assignee | |
Comment 5•17 years ago
|
||
So instead of using IS_KEYWORD, I should check specifically against "this"? I was worried about missing cases by doing that, but I agree with Igor (I think) that "get in" should work. The keyword fix is related to bug 356083, btw.
|
|
||
Comment 6•17 years ago
|
||
(In reply to comment #5) > So instead of using IS_KEYWORD, I should check specifically against "this"? No (why would 'this' be the only case?). The point is that you can avoid the old setter: syntax and use set this(v) { ... } instead of "this" setter: function (v) {...}, and likewise for any keyword (not just for 'this'). > I > was worried about missing cases by doing that, but I agree with Igor (I think) > that "get in" should work. The keyword fix is related to bug 356083, btw. The keyword fix I'm looking for is the bug not yet on file (right, Igor?) about get in() {...} within an object initialiser not being legal because 'in' is a keyword. I think we want that bug to block this one, and this one should then allow keywords in the new-style getters and setters in object initialisers. Igor, what do you think? /be
|
|
Assignee | |
Comment 7•17 years ago
|
||
I misunderstood this comment, then: https://bugzilla.mozilla.org/show_bug.cgi?id=356083#c6 ... I'll file the new bug and propose a patch, if we're all agreed? I wrote the IS_KEYWORD check in that bug (not this one) because of the 'this' problem. So any new bug should probably block that one and not this one.
|
|
||
Comment 8•17 years ago
|
||
Sorry, my comment was written without benefit of Igor's keywords legal in function names patch -- or if that patch had landed by then, we didn't make the connection to get foo() {...} / set foo(x) {...} style getters and setters.
It's safe to bounce keyword identifiers to the old syntax, but not nice in light of ES4. Better to allow keywords in new-style getters and setters, and patch this bug to force old-style only for non-identifier property names.
/be|
|
||
Comment 9•17 years ago
|
||
I filed bug 379566 about keywords after get/set and made it blocking this one.
|
|
Assignee | |
Comment 10•17 years ago
|
||
jsopcode.c: 3.327
|
|
Assignee | |
Updated•17 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
|
Reporter | |
Comment 11•17 years ago
|
||
Still crashes for me.
function() { ({ 1.1 setter: 2 }) }
Exception: EXC_BAD_ACCESS (0x0001)
Codes: KERN_PROTECTION_FAILURE (0x0002) at 0x00000008
Thread 0 Crashed:
0 js 0x00094ad7 Decompile + 38814 (jsopcode.c:3987)
1 js 0x00095eb0 js_DecompileCode + 492 (jsopcode.c:4349)
2 js 0x00096869 js_DecompileFunction + 1891 (jsopcode.c:4547)
3 js 0x0001b096 JS_DecompileFunction + 84 (jsapi.c:4668)
4 js 0x00050b97 js_fun_toString + 494 (jsfun.c:1528)
5 js 0x00050bfb fun_toString + 53 (jsfun.c:1539)
6 js 0x00059a49 js_Invoke + 2945 (jsinterp.c:1332)
7 js 0x00059e6c js_InternalInvoke + 309 (jsinterp.c:1426)
8 js 0x00085e58 js_TryMethod + 346 (jsobj.c:4633)
9 js 0x0008488c js_DefaultValue + 143 (jsobj.c:3924)
10 js 0x000c7f48 js_ValueToString + 98 (jsstr.c:2656)
11 js 0x00009223 JS_ValueToString + 24 (jsapi.c:543)
12 js 0x000027f7 Process + 949 (js.c:270)
13 js 0x000031db ProcessArgs + 2045 (js.c:519)
14 js 0x000080a0 main + 612 (js.c:3237)
15 js 0x000022e6 _start + 216
16 js 0x0000220d start + 41
|
|
Assignee | |
Comment 12•17 years ago
|
||
Not sure how I overlooked this.
Attachment #264451 -
Flags: review?(igor)
|
|
Assignee | |
Comment 13•17 years ago
|
||
It's interesting to me, btw, that the object literal here doesn't get optimized away, since it is never used and never returned by the function. SHOULD it be?
|
|
Reporter | |
Comment 14•17 years ago
|
||
I can't be optimized away as a useless expression-statement, because if you redefined Object or put some setters on Object.prototype, you'd expect your code to be called. (But see bug 376957 comment 0, especially proposal B.)
|
||
Updated•17 years ago
|
Target Milestone: --- → mozilla1.9alpha5
|
||
Comment 15•17 years ago
|
||
Comment on attachment 264451 [details] [diff] [review] null check It's easy to miss this -- it's a result of code that flows from the goto label (namely from the JSOP_INITELEM code).
Attachment #264451 -
Flags: review?(igor) → review+
|
|
||
Updated•17 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Assignee | |
Comment 16•17 years ago
|
||
jsopcode.c: 3.242
|
|
Assignee | |
Updated•17 years ago
|
Status: REOPENED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
|
||
Comment 17•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_7/extensions/regress-379482.js,v <-- regress-379482.js initial revision: 1.1
Flags: in-testsuite+
|
||
Updated•17 years ago
|
Flags: wanted1.8.1.x-
Flags: wanted1.8.0.x-
|
||
Updated•13 years ago
|
Crash Signature: [@ js_IsIdentifier]
You need to log in
before you can comment on or make changes to this bug.
Description
•