Closed Bug 532823 Opened 15 years ago Closed 15 years ago

GetFromClosure gives wrong output if cx->fp->callobj is our call object and argc > 0

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
status1.9.2 --- final-fixed

People

(Reporter: bzbarsky, Assigned: dmandelin)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(2 files)

Attached file Testcase
Testcase attached.  Run with/without -j and notice that the output with -j is wrong. This is a slightly modified (by passing > 0 args) version of name2.js from dmandelin's tests.
Flags: blocking1.9.2?
Attached patch PatchSplinter Review
I wrote this as we were talking, so I'm posting it. I think it's right, but it needs a test case (in trace-tests).
Assignee: general → dmandelin
Summary: GetFromClosure gives wrong output if cs->fp->callobj is our call object and argc > 0 → GetFromClosure gives wrong output if cx->fp->callobj is our call object and argc > 0
Comment on attachment 415995 [details] [diff] [review]
Patch

Looks good to me, esp. with a comment pointing to the upvar traits.  And maybe a followup bug to merge the two?
Attachment #415995 - Flags: review+
http://hg.mozilla.org/tracemonkey/rev/beeafdf32079
Whiteboard: fixed-in-tracemonkey
>     static inline uint32 adj_slot(JSStackFrame* fp, uint32 slot) { return slot; }
>-    static inline jsval* slots(JSStackFrame* fp) { return fp->slots; }
>+    static inline jsval* slots(JSStackFrame* fp) { return 3 + fp->argc + fp->slots; }

Er... I somehow totally misread that.  That's wrong; we should be changing adj_slot, not slots().
Flags: blocking1.9.2? → blocking1.9.2+
http://hg.mozilla.org/mozilla-central/rev/beeafdf32079
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: