Bug 465276

TM: bizarre results for ((1 * (1)) | "")

VERIFIED FIXED in mozilla1.9.1b2

Get help with this page

Status

()

Product:

▸

Core

Component:

▸

JavaScript Engine

Status:

VERIFIED FIXED

Reported:

10 years ago

Modified:

10 years ago

People

(Reporter: Jesse Ruderman, Assigned: gal)

Tracking

({testcase, verified1.9.1})

Version:

Trunk

Target:

mozilla1.9.1b2

Platform:

x86

Mac OS X

Keywords:

testcase, verified1.9.1

Points:

---

Blocks:

arithfuzz

Bug Flags:

damons

blocking1.9.1

in-testsuite

in-litmus

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

patch 10 years ago Andreas Gal :gal 1.81 KB, patch	Edwin Smith : review+ dvander : review+	Details \| Diff \| Splinter Review

Jesse Ruderman

(Reporter)

Description

•

10 years ago

e.js:

empty = [];
out = [];
for (var j=0;j<10;++j) { empty[42]; out.push((1 * (1)) | ""); }
print(uneval(out));

./js -j ~/e.js
[1, 1, 1965522873, 9, 16, 25, 36, 49, 64, 81]

Jesse Ruderman

(Reporter)

Comment 1

•

10 years ago

Why do I need the "empty[42]" part?  That's an artifact of how the fuzzer works, rather than something the fuzzer generated :(

Andreas Gal :gal

(Assignee)

Comment 2

•

10 years ago

Created attachment 348523 [details] [diff] [review]
patch

Assignee: general → gal

Status: NEW → ASSIGNED

Attachment #348523 - Flags: review?(edwsmith)

Andreas Gal :gal

(Assignee)

Comment 3

•

10 years ago

This is a super evil bug. We can't do CSE across in-trace branch labels. Will push with r=me until someone + or - it.

Andreas Gal :gal

(Assignee)

Updated

•

10 years ago

Attachment #348523 - Flags: review?(danderson)

David Anderson [:dvander] - inactive, e-mail if emergency

Updated

•

10 years ago

Attachment #348523 - Flags: review?(danderson) → review+

Andreas Gal :gal

(Assignee)

Comment 4

•

10 years ago

http://hg.mozilla.org/tracemonkey/rev/55e30117ecee

Status: ASSIGNED → RESOLVED

Last Resolved: 10 years ago

Resolution: --- → FIXED

Andreas Gal :gal

(Assignee)

Comment 5

•

10 years ago

ccing ed and graydon

Edwin Smith

Updated

•

10 years ago

Attachment #348523 - Flags: review?(edwsmith) → review+

Damon Sicore (:damons)

Comment 6

•

10 years ago

reopening, marking blocking beta2, will close once landed on m-c.

Status: RESOLVED → REOPENED

Flags: blocking1.9.1+

Resolution: FIXED → ---

Damon Sicore (:damons)

Updated

•

10 years ago

Target Milestone: --- → mozilla1.9.1b2

Mike Beltzner [:beltzner, not reading bugmail]

Comment 7

•

10 years ago

Fixed in the merge pushed by vlad on Nov 18 14:11:14 2008 -0800:
http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531

Status: REOPENED → RESOLVED

Last Resolved: 10 years ago → 10 years ago

Resolution: --- → FIXED

Bob Clary [:bc:]

Comment 8

•

10 years ago

Checking in js1_5/extensions/regress-465276.js;
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-465276.js,v  <--  regress-465276.js
initial revision: 1.1

Flags: in-testsuite+

Flags: in-litmus-

Shawn Wilsher :sdwilsh

Comment 9

•

10 years ago

http://hg.mozilla.org/mozilla-central/rev/7bed07c2b742

Mike Beltzner [:beltzner, not reading bugmail]

Updated

•

10 years ago

Keywords: fixed1.9.1

Bob Clary [:bc:]

Comment 10

•

10 years ago

v 1.9.1, 1.9.2

Status: RESOLVED → VERIFIED

Keywords: fixed1.9.1 → verified1.9.1

You need to log in before you can comment on or make changes to this bug.

Bugzilla

TM: bizarre results for ((1 * (1)) | "")

Status

()

People

(Reporter: Jesse Ruderman, Assigned: gal)

Tracking

({testcase, verified1.9.1})

Firefox Tracking Flags

(Not tracked)

Details

Security

(public)

User Story

Attachments

(1 attachment)

Description

Comment 1

Comment 2

Comment 3

Updated

Updated

Comment 4

Comment 5

Updated

Comment 6

Updated

Updated

Comment 7

Comment 8

Comment 9

Updated

Comment 10