Open
Bug 803837
Opened 12 years ago
Updated 2 years ago
Clearing object properties by setting property
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
NEW
People
(Reporter: sigurd, Unassigned)
Details
(Keywords: testcase, Whiteboard: (works on nightly)[js:p2])
Attachments
(1 file)
|
194 bytes,
text/html
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Build ID: 20121010144125
Steps to reproduce:
Greetings!
Code like this doesn't work properly on FF16:
/************** code start **********/
function setValue(ob)
{
ob['a' + 555] = 2;
}
function cl()
{
this.bInited = this.Init();
}
cl.prototype.Init = function()
{
this.a = 1;
setValue(this);
return true;
}
var e = new cl();
alert(e.a);
/************** code end **********/
After line "ob['a' + 555] = 2;" all object properties are cleared. If we change this on ob['a555'] = 2 everything is ok. If we remove 'this.bInited = ' - everything is also ok.
In FF15 and other browsers this code worked as it should.
Actual results:
we recieve 'undefined'
Expected results:
we should recieve '1'
|
||
Comment 1•12 years ago
|
||
Confirming on 16.0.2. Works fine on Nightly, though. Couldn't find the bug about this, moving to Core since I'm curious to see it, and it seems serious enough to warrant fixing ASAP. (Guessing JS engine, although I don't have a JS shell from the 16.x branch to check). (Note: the problem cannot be reproduced from scratchpad, I ran this as a top-level <script> in an html file to reproduce).
Assignee: nobody → general
Status: UNCONFIRMED → NEW
Component: Untriaged → JavaScript Engine
Ever confirmed: true
Keywords: testcase
OS: Windows 7 → All
Product: Firefox → Core
Whiteboard: (works on nightly)
|
|
||
Comment 2•12 years ago
|
||
|
||
Comment 3•12 years ago
|
||
Scratchpad may well not be jitted or something... Nickolay, can you find a fix range?
|
|
||
Comment 4•12 years ago
|
||
bz, sorry, don't count on me. I only had time yesterday.
|
|
||
Comment 5•12 years ago
|
||
Not a problem at all. This got fixed back in July: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=045c11dd41a6&tochange=462106f027af Given that, this looks like this probably got fixed by the fix for bug 646599... but only because after that change "ob['a' + 555] = 2" and "ob['a555'] = 2" are treated identically. So the underlying bug might still be there.
|
|
||
Comment 6•12 years ago
|
||
Tom, any idea whether this is really fixed or just masked?
|
Reporter | |
Comment 7•12 years ago
|
||
FF 17.0 - fixed Thanks!
|
||
Comment 8•12 years ago
|
||
I am pretty sure this bug should not have changed anything observable like that. cc'ing Jeff.
|
||
Comment 9•12 years ago
|
||
Yeah, seems like there's an underlying issue here. Given the this-property-setting bits here, I suspect a TI issue, albeit with no hard evidence in support of the theory.
|
||
Updated•12 years ago
|
Whiteboard: (works on nightly) → (works on nightly)[js:p2]
|
Assignee | |
Updated•10 years ago
|
Assignee: general → nobody
|
||
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•