Closed Bug 464645 Opened 17 years ago Closed 17 years ago

endless loop in javascript for-in when compiling with Sun Studio 12 with -xO0 -g

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: ginnchen+exoracle, Assigned: ginnchen+exoracle)

References

Details

(Keywords: verified1.9.1)

Attachments

(1 file)

patch
936 bytes, patch
brendan
: review+
Details | Diff | Splinter Review
a simple test case take from trace-test.js var falsies = [null, undefined, false, NaN, 0, ""]; var j; for (j in falsies) { print (j); } The problem is at http://mxr.mozilla.org/mozilla-central/source/js/src/jsinterp.cpp#3207 3201 BEGIN_CASE(JSOP_NEXTITER) 3202 JS_ASSERT(regs.sp - 2 >= StackBase(fp)); 3203 JS_ASSERT(!JSVAL_IS_PRIMITIVE(regs.sp[-2])); 3204 if (!js_CallIteratorNext(cx, JSVAL_TO_OBJECT(regs.sp[-2]), &regs.sp[-1])) 3205 goto error; 3206 LOAD_INTERRUPT_HANDLER(cx); 3207 PUSH(BOOLEAN_TO_JSVAL(regs.sp[-1] != JSVAL_HOLE)); 3208 TRACE_0(IteratorNextComplete); 3209 END_CASE(JSOP_NEXTITER) LINE 3207 is as same as ( * regs.sp ++ = BOOLEAN_TO_JSVAL(regs.sp[-1] != JSVAL_HOLE)); The behavior is undefined to compiler. It can be temp = BOOLEAN_TO_JSVAL(regs.sp[-1] != JSVAL_HOLE); *regs.sp++ = temp; or temp = regs.sp++; *temp = BOOLEAN_TO_JSVAL(regs.sp[-1] != JSVAL_HOLE);
Attached patch patchSplinter Review
Assignee: general → ginn.chen
Attachment #347948 - Flags: review?
Attachment #347948 - Flags: review? → review?(brendan)
Comment on attachment 347948 [details] [diff] [review] patch Whoops! Thanks very much, Ginn. I will commit this to the tracemonkey repo right away, so it will get into m-c soon (for beta 2 of Firefox 3.1). /be
Attachment #347948 - Flags: review?(brendan) → review+
Fixed in tracemonkey: http://hg.mozilla.org/tracemonkey/rev/5804f5597d3d /be
Blocks: 458851
Severity: normal → critical
Flags: blocking1.9.1?
OS: OpenSolaris → All
Priority: -- → P1
Hardware: PC → All
Target Milestone: --- → mozilla1.9.1b2
This bug should be closed when we sync tracemonkey with mozilla-central. /be
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
test covered in js1_8_1/trace/trace-test.js
Flags: in-testsuite+
Flags: in-litmus-
Flags: blocking1.9.1? → blocking1.9.1+
Keywords: fixed1.9.1
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: