Closed Bug 452742 Opened 16 years ago Closed 16 years ago

overzealous eval-inside-function optimization in BindNameToSlot

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: igor, Assigned: igor)

References

Details

(Keywords: testcase) 

The display optimization for the eval in BindNameToSlot from jsemit.cpp ignores possible with blocks in outer function. The following session demonstrates the problem with the current mozilla-central tip:

~/m/31-ff/js/tests $ cat ~/s/x.js
var obj = { x: -100 };

function a(x)
{
    var orig_x = x;
    var orig_obj_x = obj.x;

    with (obj) { eval("x = x + 10"); }

    if (x !== orig_x)
        throw "Unexpected mutation of x: " + x;
    if (obj.x !== orig_obj_x + 10)
        throw "Unexpected mutation of obj.x: " + obj.x;
}

a(0);
~/m/31-ff/js/tests $ ~/m/31-ff/js/src/Linux_All_DBG.OBJ/js ~/s/x.js
uncaught exception: Unexpected mutation of obj.x: 10
Here is another problem: the current code incorrectly optimizes the access to the arguments object as the following session demonstrates:

~/m/31-ff/js/tests $ cat ~/s/x.js
var obj = { arguments: [-100] };

function a()
{
    with (obj) { return eval("arguments[0]"); }
}

function b()
{
    eval('with (obj) { return eval("arguments[0]"); };');
}

var result = a();
if (result !== -100)
    throw "Bad result"+uneval(result);

var result = b();
if (result !== -100)
    throw "Bad result"+uneval(result);

print("Ok");
~/m/31-ff/js/tests $ ~/m/31-ff/js/src/Linux_All_DBG.OBJ/js ~/s/x.js
uncaught exception: Bad result(void 0)
Depends on: 446386
This was fixed within the fix for the bug 446386,
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Keywords: testcase
Igor: is SyntaxError: return not in function expected in comment 1? I see it in 1.8.0 and 1.9.1. 1.9.0 has the same error as originally reported on 1.9.1.
(In reply to comment #3)
> Igor: is SyntaxError: return not in function expected in comment 1? I see it in
> 1.8.0 and 1.9.1. 1.9.0 has the same error as originally reported on 1.9.1.

That test case is bad. The proper one would have for the function b:

function b()
{
    var result;
    eval('with (obj) { result = eval("arguments[0]"); };');
    return result;
}
/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452742-01.js,v  <--  regress-452742-01.js
initial revision: 1.1

/cvsroot/mozilla/js/tests/js1_5/Regress/regress-452742-02.js,v  <--  regress-452742-02.js
initial revision: 1.1

http://hg.mozilla.org/mozilla-central/rev/f0e9fd501e63
Flags: in-testsuite+
Flags: in-litmus-
You need to log in before you can comment on or make changes to this bug.