Closed Bug 465276 Opened 16 years ago Closed 16 years ago

TM: bizarre results for ((1 * (1)) | "")

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9.1b2

People

(Reporter: jruderman, Assigned: gal)

References

Details

(Keywords: testcase, verified1.9.1)

Attachments

(1 file)

patch
1.81 KB, patch
edwsmith
: review+
dvander
: review+
Details | Diff | Splinter Review 
e.js:

empty = [];
out = [];
for (var j=0;j<10;++j) { empty[42]; out.push((1 * (1)) | ""); }
print(uneval(out));

./js -j ~/e.js
[1, 1, 1965522873, 9, 16, 25, 36, 49, 64, 81]
Why do I need the "empty[42]" part?  That's an artifact of how the fuzzer works, rather than something the fuzzer generated :(
Attached patch patchSplinter Review 
Assignee: general → gal
Status: NEW → ASSIGNED

        Attachment #348523 -
        Flags: review?(edwsmith)

    
    

    
  
This is a super evil bug. We can't do CSE across in-trace branch labels. Will push with r=me until someone + or - it.

    
  

        Attachment #348523 -
        Flags: review?(danderson)

        Attachment #348523 -
        Flags: review?(danderson) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/55e30117ecee
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED

    
    

    
  
ccing ed and graydon

    
  

        Attachment #348523 -
        Flags: review?(edwsmith) → review+

    
    

    
  
reopening, marking blocking beta2, will close once landed on m-c.
Status: RESOLVED → REOPENED
Flags: blocking1.9.1+
Resolution: FIXED → ---
Target Milestone: --- → mozilla1.9.1b2

    
    

    
  
Fixed in the merge pushed by vlad on Nov 18 14:11:14 2008 -0800:
http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531
Status: REOPENED → RESOLVED
Closed: 16 years ago16 years ago
Resolution: --- → FIXED

    
    

    
  
Checking in js1_5/extensions/regress-465276.js;
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-465276.js,v  <--  regress-465276.js
initial revision: 1.1
Flags: in-testsuite+
Flags: in-litmus-

    
    

    
  
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: