Closed Bug 507180 Opened 16 years ago Closed 16 years ago

imacros produce incorrect results with non-primitive valueOf

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- beta1-fixed
status1.9.1 --- ?

People

(Reporter: luke, Assigned: luke)

Details

Attachments

(3 files, 2 obsolete files)

JSOP_ADD in JIT vs. interp
317 bytes, text/plain
Details
all the changes
28.46 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
Regression test for all affected imacros
1.87 KB, application/javascript
Details
All three JSOP_ADD imacros produce the wrong result when there is a valueOf property and the valueOf property returns a non-primitive. It calls toString on the return of valueOf instead of the object. The attachment shows the variation.
Attached patch fix in imacros.jsasm (obsolete) — Splinter Review
Although I'd need to read the spec more to be sure, it appears that this error is in most imacros.
Summary: JSOP_ADD imacro produces incorrect result → imacros produce incorrect results with non-primitive valueOf
Waldo, didn't you file a bug like this a while ago? /be
Attachment #391373 - Flags: review?(jwalden+bmo)
Comment on attachment 391373 [details] [diff] [review] fix in imacros.jsasm Good catch, patch looks correct but I'm short on sleep, so I'll let Waldo do the deed. /be
Basic language semantics correctness issue, could bite in the wild but we don't know yet. /be
Flags: wanted1.9.2?
Flags: wanted1.9.0.x?
Attachment #391373 - Flags: review?(jwalden+bmo) → review+
blocking1.9.1: --- → ?
status1.9.1: --- → ?
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: wanted1.9.0.x?
Flags: blocking1.9.2+
The fix is just adding "pop;dup" so that toString is called on the object, not the return value of valueOf.
Assignee: general → lw
Attachment #391373 - Attachment is obsolete: true
Status: NEW → ASSIGNED
Would you add scads of trace-tests for these cases to the patch, please?
In producing said scads, I notice that, as far as I can tell, equality.obj_obj cannot be invoked; it means "same object" and requires no conversion. Incidentally, equality_imacros.obj_obj isn't referenced in jstracer. Should I remove it?
Attached patch all the changesSplinter Review
the last hg diff left out some changes... somehow
Attachment #392391 - Attachment is obsolete: true
This test exercises all affected imacros. It needs to be tweaked by someone test-savvy to fit into the js test harness.
Flags: in-testsuite?
Attachment #392523 - Flags: review?(jwalden+bmo)
(In reply to comment #8) > In producing said scads, I notice that, as far as I can tell, equality.obj_obj > cannot be invoked; it means "same object" and requires no conversion. I see only equality_imacros.any_obj and .obj_any. What rev are you looking at? /be
(In reply to comment #11) > (In reply to comment #8) > > In producing said scads, I notice that, as far as I can tell, equality.obj_obj > > cannot be invoked; it means "same object" and requires no conversion. > > I see only equality_imacros.any_obj and .obj_any. What rev are you looking at? Oops, I was looking at the wrong imacro. Or maybe I went back in time and removed equality.obj_obj. You never know...
Why is this nominated as a "blocker"? We'll approve correctness fixes as they get fixed, reviewed and request branch approval. Unless this is a regression from a previous security fix? We'd prioritize that a little higher.
blocking1.9.1: ? → ---
Attachment #392523 - Flags: review?(jwalden+bmo) → review+
Comment on attachment 392523 [details] [diff] [review] all the changes Egad, this is an awful lot of copy-paste errors...want self-hosting (with name-freezing up the wazoo to avoid property/function guarding, of course)!
http://hg.mozilla.org/mozilla-central/rev/a10a85319c3b
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Priority: -- → P1
Flags: in-testsuite?
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: