Closed
Bug 582161
Opened 14 years ago
Closed 14 years ago
TM: new Array(non-unsigned-32-bit integer) works incorrectly
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: Waldo, Assigned: paul.biggar)
Details
(Whiteboard: fixed-in-tracemonkey)
[jwalden@find-waldo-now src]$ dbg/js -j js> var vs = [1, 1, 1, 1, 3.5, 1]; js> for (var i = 0, sz = vs.length; i < sz; i++) new Array(vs[i]); [,] js> [jwalden@find-waldo-now src]$ dbg/js js> var vs = [1, 1, 1, 1, 3.5, 1]; js> for (var i = 0, sz = vs.length; i < sz; i++) new Array(vs[i]); typein:2: RangeError: invalid array length The latter behavior is correct.
Reporter | ||
Comment 1•14 years ago
|
||
We only manage to get the negative-length case right by some amount of dumb luck: -1, or whatever, gets converted to mega-huge and is passed to js_NewArrayWithSlots, but -- right now -- when we try to growDenseArrayElements in js_NewArrayWithSlots we hit the return-false below, go back to the interpreter, and retry. I don't think this is the method of failure we really want here, happening to do okay because an obscured overflow check happens to catch it. JSObject::growDenseArrayElements (this=0x7ffff1a035a0, cx=0x8faca0, oldcap=0, newcap=4294967295) at ../jsarray.cpp:314 314 JS_ASSERT(isDenseArray()); 315 JS_ASSERT(newcap >= ARRAY_CAPACITY_MIN); 316 JS_ASSERT(newcap >= oldcap); 317 318 if (newcap > MAX_DSLOTS_LENGTH32) { 319 if (!JS_ON_TRACE(cx)) 320 js_ReportAllocationOverflow(cx); 321 return JS_FALSE; 322 }
Assignee | ||
Updated•14 years ago
|
Assignee: general → pbiggar
Assignee | ||
Comment 2•14 years ago
|
||
The test case from comment 1 is now working. It was probably fixed during the conversion to flexible length JSObject in bug 584917. I'm going to add it to the repo anyway. The second problem -- that it's a mess in there -- is definitely true, but I can't find any actual errors in there. We're very unclear about when to use jsuint and when to use jsint, but i'm cleaning this up as part of bug 581180.
Comment 3•14 years ago
|
||
Outside of the public API, we should use int32 and uint32 (no _t please) instead of jsint and jsuint. ECMA-262 is not gonna grow to 64-bit int types and EIBTI. /be
Assignee | ||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/06f233f9259b This is just the test case, no review required.
Status: NEW → ASSIGNED
Whiteboard: fixed-in-tracemonkey
Reporter | ||
Comment 5•14 years ago
|
||
Did you check whether the song and dance routine of comment 1 is still in place? Even if this now is observably correct, I'd still like to see that fixed.
Assignee | ||
Comment 6•14 years ago
|
||
(In reply to comment #5) > Did you check whether the song and dance routine of comment 1 is still in > place? Even if this now is observably correct, I'd still like to see that > fixed. I take it you mean comment 2. The song-and-dance has changed considerably, but its still sort-of singing and dancing. The tracer now calls js_NewEmptyArray, which has a check for len < -1, so the exact problem is fixed. But the multitude of array allocation functions occasionally confuse the signed-ness, which I'm sorting out as part of 581180.
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/06f233f9259b
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•