Closed
Bug 507180
Opened 15 years ago
Closed 15 years ago
imacros produce incorrect results with non-primitive valueOf
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
status1.9.1 | --- | ? |
People
(Reporter: luke, Assigned: luke)
Details
Attachments
(3 files, 2 obsolete files)
All three JSOP_ADD imacros produce the wrong result when there is a valueOf property and the valueOf property returns a non-primitive. It calls toString on the return of valueOf instead of the object. The attachment shows the variation.
Assignee | ||
Comment 1•15 years ago
|
||
Assignee | ||
Comment 2•15 years ago
|
||
Although I'd need to read the spec more to be sure, it appears that this error is in most imacros.
Assignee | ||
Updated•15 years ago
|
Summary: JSOP_ADD imacro produces incorrect result → imacros produce incorrect results with non-primitive valueOf
Comment 3•15 years ago
|
||
Waldo, didn't you file a bug like this a while ago? /be
Updated•15 years ago
|
Attachment #391373 -
Flags: review?(jwalden+bmo)
Comment 4•15 years ago
|
||
Comment on attachment 391373 [details] [diff] [review] fix in imacros.jsasm Good catch, patch looks correct but I'm short on sleep, so I'll let Waldo do the deed. /be
Comment 5•15 years ago
|
||
Basic language semantics correctness issue, could bite in the wild but we don't know yet. /be
Flags: wanted1.9.2?
Flags: wanted1.9.0.x?
Updated•15 years ago
|
Attachment #391373 -
Flags: review?(jwalden+bmo) → review+
Updated•15 years ago
|
blocking1.9.1: --- → ?
status1.9.1:
--- → ?
Flags: wanted1.9.2?
Flags: wanted1.9.2+
Flags: wanted1.9.0.x?
Updated•15 years ago
|
Flags: blocking1.9.2+
Assignee | ||
Comment 6•15 years ago
|
||
The fix is just adding "pop;dup" so that toString is called on the object, not the return value of valueOf.
Comment 7•15 years ago
|
||
Would you add scads of trace-tests for these cases to the patch, please?
Assignee | ||
Comment 8•15 years ago
|
||
In producing said scads, I notice that, as far as I can tell, equality.obj_obj cannot be invoked; it means "same object" and requires no conversion. Incidentally, equality_imacros.obj_obj isn't referenced in jstracer. Should I remove it?
Assignee | ||
Comment 9•15 years ago
|
||
the last hg diff left out some changes... somehow
Attachment #392391 -
Attachment is obsolete: true
Assignee | ||
Comment 10•15 years ago
|
||
This test exercises all affected imacros. It needs to be tweaked by someone test-savvy to fit into the js test harness.
Assignee | ||
Updated•15 years ago
|
Flags: in-testsuite?
Assignee | ||
Updated•15 years ago
|
Attachment #392523 -
Flags: review?(jwalden+bmo)
Comment 11•15 years ago
|
||
(In reply to comment #8) > In producing said scads, I notice that, as far as I can tell, equality.obj_obj > cannot be invoked; it means "same object" and requires no conversion. I see only equality_imacros.any_obj and .obj_any. What rev are you looking at? /be
Assignee | ||
Comment 12•15 years ago
|
||
(In reply to comment #11) > (In reply to comment #8) > > In producing said scads, I notice that, as far as I can tell, equality.obj_obj > > cannot be invoked; it means "same object" and requires no conversion. > > I see only equality_imacros.any_obj and .obj_any. What rev are you looking at? Oops, I was looking at the wrong imacro. Or maybe I went back in time and removed equality.obj_obj. You never know...
Comment 13•15 years ago
|
||
Why is this nominated as a "blocker"? We'll approve correctness fixes as they get fixed, reviewed and request branch approval. Unless this is a regression from a previous security fix? We'd prioritize that a little higher.
blocking1.9.1: ? → ---
Updated•15 years ago
|
Attachment #392523 -
Flags: review?(jwalden+bmo) → review+
Comment 14•15 years ago
|
||
Comment on attachment 392523 [details] [diff] [review] all the changes Egad, this is an awful lot of copy-paste errors...want self-hosting (with name-freezing up the wazoo to avoid property/function guarding, of course)!
Assignee | ||
Comment 15•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/a10a85319c3b
Comment 16•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/a10a85319c3b
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•15 years ago
|
Priority: -- → P1
Comment 17•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/d1cbe0aa3915
status1.9.2:
--- → beta1-fixed
Assignee | ||
Updated•13 years ago
|
Flags: in-testsuite?
You need to log in
before you can comment on or make changes to this bug.
Description
•