Closed Bug 507180 Opened 15 years ago Closed 15 years ago

imacros produce incorrect results with non-primitive valueOf

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- ?

People

(Reporter: luke, Assigned: luke)

Details

Attachments

(3 files, 2 obsolete files)

JSOP_ADD in JIT vs. interp
317 bytes, text/plain
Details
all the changes
28.46 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
Regression test for all affected imacros
1.87 KB, application/javascript
Details 
All three JSOP_ADD imacros produce the wrong result when there is a valueOf property and the valueOf property returns a non-primitive.  It calls toString on the return of valueOf instead of the object.  The attachment shows the variation.
Attached patch fix in imacros.jsasm (obsolete) — Splinter Review 

    
    

    
  
Although I'd need to read the spec more to be sure, it appears that this error is in most imacros.

    
  
Summary: JSOP_ADD imacro produces incorrect result → imacros produce incorrect results with non-primitive valueOf

    
    

    
  
Waldo, didn't you file a bug like this a while ago?

/be

        Attachment #391373 -
        Flags: review?(jwalden+bmo)

    
    

    
  
Comment on attachment 391373 [details] [diff] [review]
fix in imacros.jsasm

Good catch, patch looks correct but I'm short on sleep, so I'll let Waldo do the deed.

/be

    
    

    
  
Basic language semantics correctness issue, could bite in the wild but we don't know yet.

/be
Flags: wanted1.9.2?
Flags: wanted1.9.0.x?

    
  

        Attachment #391373 -
        Flags: review?(jwalden+bmo) → review+

    
  
blocking1.9.1: --- → ?

          status1.9.1:
          --- → ?
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: wanted1.9.0.x?

    
  
Flags: blocking1.9.2+

    
    

    
  


  
The fix is just adding "pop;dup" so that toString is called on the object, not the return value of valueOf.
Assignee: general → lw

        Attachment #391373 -
        Attachment is obsolete: true
Status: NEW → ASSIGNED

    
    

    
  
Would you add scads of trace-tests for these cases to the patch, please?

    
    

    
  
In producing said scads, I notice that, as far as I can tell, equality.obj_obj cannot be invoked; it means "same object" and requires no conversion.  Incidentally, equality_imacros.obj_obj isn't referenced in jstracer.  Should I remove it?

    
    

    
  

      
      
      
      

        Attached patch
          
          
        all the changesSplinter Review
      

    


  
the last hg diff left out some changes... somehow

        Attachment #392391 -
        Attachment is obsolete: true

    
    

    
  


  
This test exercises all affected imacros.  It needs to be tweaked by someone test-savvy to fit into the js test harness.

    
  
Flags: in-testsuite?

    
  

        Attachment #392523 -
        Flags: review?(jwalden+bmo)

    
    

    
  
(In reply to comment #8)
> In producing said scads, I notice that, as far as I can tell, equality.obj_obj
> cannot be invoked; it means "same object" and requires no conversion. 

I see only equality_imacros.any_obj and .obj_any. What rev are you looking at?

/be

    
    

    
  
(In reply to comment #11)
> (In reply to comment #8)
> > In producing said scads, I notice that, as far as I can tell, equality.obj_obj
> > cannot be invoked; it means "same object" and requires no conversion. 
> 
> I see only equality_imacros.any_obj and .obj_any. What rev are you looking at?

Oops, I was looking at the wrong imacro.  Or maybe I went back in time and removed equality.obj_obj.  You never know...

    
    

    
  
Why is this nominated as a "blocker"? We'll approve correctness fixes as they get fixed, reviewed and request branch approval. Unless this is a regression from a previous security fix? We'd prioritize that a little higher.
blocking1.9.1: ? → ---

    
  

        Attachment #392523 -
        Flags: review?(jwalden+bmo) → review+

    
    

    
  
Comment on attachment 392523 [details] [diff] [review]
all the changes

Egad, this is an awful lot of copy-paste errors...want self-hosting (with name-freezing up the wazoo to avoid property/function guarding, of course)!

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/a10a85319c3b
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED

    
  
Priority: -- → P1

    
  
Flags: in-testsuite?

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: