Closed Bug 429252 Opened 16 years ago Closed 16 years ago

trap changes decompilation of "{ let x }"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: jruderman, Assigned: crowderbt)

References

Details

(Keywords: testcase)

Attachments

(2 files)

js1_7/decompilation/regress-429252.js
2.56 KB, text/plain
Details
undoing my silliness from the previous patch
5.23 KB, patch
shaver
: review+
shaver
: approval1.9+
Details | Diff | Splinter Review 
js> function f() { { let x } }
js> f
function f() {
    {
        let x;
    }
}

js> trap(f, 0, "")
js> f
function f() {
    {
        let x;
    }
    let x;
}
This is fixed by my WIP patch from bug 422137.
Depends on: 422137
Status: NEW → RESOLVED
Closed: 16 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
I'll check in when the tree reopens
/cvsroot/mozilla/js/tests/js1_7/decompilation/regress-429252.js,v  <--  regress-429252.js
initial revision: 1.1

This test fails on mac os x, leopard at least. 

debug: Assertion failure: ATOM_IS_STRING(atom), at jsinterp.c:4946
opt:   bus error

Note to self: the automation is not collecting the proper error messages.
Flags: in-testsuite?
Flags: in-testsuite+
Flags: in-litmus-
/cvsroot/mozilla/js/tests/public-failures.txt,v  <--  public-failures.txt
new revision: 1.70; previous revision: 1.69

centos5 x86_64:
nada

fedora6/centos i686 32bit:
Assertion failure: (script)->objectsOffset != 0, at jsinterp.c:6489

fedora8 32bit:
Assertion failure: (uint32)((atoms - script->atomMap.vector + ((uintN)(((regs.pc + 0)[1] << 8) | (regs.pc + 0)[2])))) < objects_->length

crowder, do you want a new bug or reopen this one?

Let's keep it here.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
I really don't know what I was thinking with the previous patch.  This logic must occur in DecompileCode (which is not recursive).  Otherwise, we end up doing pointer math on the untraped "code", using an unmodified pc.  This causes us to go out-of-bounds on the code array we're untrapping.

This bug is very serious and should block.
Assignee: general → crowder
Status: REOPENED → ASSIGNED
Attachment #318295 - Flags: review?(shaver)
Flags: blocking1.9?
I'll create a follow-up bug to introduce some assertions in jsdbgapi.c:js_UntrapScriptCode which would have saved us from this.  I'd rather not do that here.
also js1_5/extensions/regress-429264.js
Comment on attachment 318295 [details] [diff] [review]
undoing my silliness from the previous patch

r+a=shaver, thanks for the diff showing the net-of-previous changes.
Attachment #318295 - Flags: review?(shaver)
Attachment #318295 - Flags: review+
Attachment #318295 - Flags: approval1.9+
jsopcode.c: 3.313
Status: ASSIGNED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED
v 1.9.0
Status: RESOLVED → VERIFIED
Clearing my blocking request from ages ago.
Flags: blocking1.9?
You need to log in before you can comment on or make changes to this bug.