Closed
Bug 623746
Opened 14 years ago
Closed 13 years ago
Incorrect treatment of some null-valued arguments by addition/concatenation
Categories
(Tamarin Graveyard :: Virtual Machine, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
flash10.2.x-Spicy
People
(Reporter: cthilgen, Assigned: wmaddox)
References
Details
(Whiteboard: fixed-in-spicy,fixed-in-spicier)
Attachments
(1 file)
12.05 KB,
patch
|
stejohns
:
review+
|
Details | Diff | Splinter Review |
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.10 (KHTML, like Gecko) Chrome/8.0.552.224 Safari/534.10 Build Identifier: AVMPlus Internal Build On Nov-2-2010 Behavior is different than previous build which would not prepend null. NOTE: appending a string to an unitialized String (+=) would prepend a null (and continues today) Reproducible: Always Steps to Reproduce: ------------------------ trace("BEGIN-TEST") var testString1:String; testString1 += "5"; trace("testString1:" + testString1); var testString2:String; testString2 += 5; trace("testString2:" + testString2); trace("END-TEST") ------------------------ RESULTS: oct-31-2010 11:00 pm BEGIN-TEST testString1:null5 testString2:5 END-TEST RESULTS: nov-2-2010 11:00 pm BEGIN-TEST testString1:null5 testString2:null5 END-TEST ------------------------ Please refer to Watson Bug #2783583 for additional information and injection details.
Reporter | ||
Comment 1•14 years ago
|
||
NOTE: We should add additional unit tests to cover this operation since we obviously don't have them today.
Updated•14 years ago
|
Flags: in-testsuite?
Comment 2•14 years ago
|
||
This could be a result of jit policy changes in Spicy? If I run your test case with the interpreter (-Dinterp) I get your "old" result, and if I run it with the JIT (-Ojit) I get the "new" result (tamarin-redux 5733). Chris, when you're reporting results like these that are obtained with a plugin we need to know from which branch and changeset the plugin was built (and also whether it's a Release or Release-Debugger or other configuration).
Component: API → Virtual Machine
QA Contact: api → vm
Comment 3•14 years ago
|
||
BTW my understanding is that your "old" result is correct according to specs - null added to number 5 yields number 5 which is then converted back to string - so we're possibly looking at a new JIT bug here where it prematurely converts number 5 to string because it "knows" the result is going to be a string. For grins I tried with TR 4058, and here the JIT and interpreter agree and produce your "old" result. Looks like a JIT injection.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Target Milestone: --- → flash10.2.x-Spicy
Comment 4•14 years ago
|
||
Bill should investigate this ASAP for the Spicy release. The problem is the VMCFG_FASTPATH_ADD code and all its helpers not correctly handling a null String ptr. In the above test case, we get into op_add_a_ai and hit the concat_strings code at the bottom. A fix would be to have a null check added: if (ISNULL(lhs)) return s->atom(); else return core->concatStrings(core->string(lhs), s)->atom(); All the helper routines that perform concatStrings need to be investigated. int + atom atom + int double + atom atom + double etc.
Comment 5•14 years ago
|
||
Taking the liberty of assigning to wmaddox@adobe.com -- if you don't have the bandwidth to examine soon, let us know and we'll find someone to do so
Assignee: nobody → wmaddox
Comment 6•14 years ago
|
||
(BTW, this bug is currently assigned to me in Watson, but Bill is far more familiar with this code than I -- for a late-breaking Spicy change I'd definitely be more comfortable with him investigating, if possible)
Assignee | ||
Comment 7•14 years ago
|
||
The helper functions are all specializations of op_add_a_aa(), which implements the general case of atom + atom addition/concatenation when the fastpath optimization is enabled. It was intended to be a slightly optimized version of the existing op_add() used by the interpreter, with more streamlined handling of the numeric + numeric cases. I also replaced calls to AvmCore::isString() with a new function atomIsString(), which tested only the atomKind tag, and therefore failed to distinguish actual string values from one of the multiple representations of the null. This patch reverts this incorrect change, and adds a test case. The patch is against tr-spicy, but should apply to TR as well.
Attachment #502130 -
Flags: review?(stejohns)
Assignee | ||
Updated•14 years ago
|
Attachment #502130 -
Attachment is patch: true
Comment 8•14 years ago
|
||
Comment on attachment 502130 [details] [diff] [review] Remove atomIsString() and use AvmCore::isString() in specialized add/concatenate helper functions Nice. Subtle.
Attachment #502130 -
Flags: review?(stejohns) → review+
Reporter | ||
Comment 11•14 years ago
|
||
> Chris, when you're reporting results like these that are obtained with a plugin
> we need to know from which branch and changeset the plugin was built (and also
> whether it's a Release or Release-Debugger or other configuration).
Lars - I did not know what was appropriate to add to bugzilla - i added a note about the related Watson bug to look at - which has additional details - this was found in AIR - but it should also be reproducible in all variants of the player.
Assignee | ||
Comment 12•14 years ago
|
||
Pushed to tr-spicy: http://hg.mozilla.org/users/stejohns_adobe.com/tr-spicy/rev/9989a55e791e
Assignee | ||
Updated•14 years ago
|
Summary: Appending a number to an uninitialized String (+=) prepends null to result → Incorrect treatment of some null-valued arguments by addition/concatenation
Assignee | ||
Updated•14 years ago
|
Whiteboard: fixed-in-spicy,fixed-in-spicier
Comment 13•13 years ago
|
||
changeset: 5825:56ee0c2cc62d user: William Maddox <wmaddox@adobe.com> summary: Bug 623746 - Use correct test for String-valued atom in add/concatenate fastpath helper functions (r=stejohns) http://hg.mozilla.org/tamarin-redux/rev/56ee0c2cc62d
Assignee | ||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•