The problem was that when "w=With()" is executed, the new object "w" is created
such that it shares a scope with Object.prototype. When GC runs and
Object.prototype and "w" are both collected, the test in js_DropObjectMap
currently looks like
if (MAP_IS_NATIVE(map) && ((JSScope *)map)->object == obj)
((JSScope *)map)->object = NULL;
The problem is that MAP_IS_NATIVE is false because the object ops are special
for the With object. Thus map->object is left nonnull and when "w" is collected,
it tries to drop its scope, which causes map->object to be referenced, causing
the null dereference.
Update MAP_IS_NATIVE to include With objects as well.
for trynotes in the current code generator, and grow that space as needed.
- Avoid dividing by a multiple of 3 (JSTryNote is 3 ptrdiff_t's) via (char *)
arithmetic.
and more important, to save a byte of useless note offset, use SRC_CONTINUE
instead of SRC_PCDELTA to annotate JSOP_ENDINIT when there's an extra comma
at the end of an array literal (e.g. [1,2,,]).
tokenstream in Function, to avoid calling malloc at all.
- But do check for malloc failure under PR_ARENA_ALLOCATE (the old call to
JS_malloc was unchecked).
- Don't double-report a scanner error such as illegal character in
Function("a@b", "return a*b")
- Do report a "malformed formal parameter" error in
Function("a,b,", "return a*b")
- Fiddle comments to more precisely rule out the above bugs.
- Switch improvements:
- JSOP_CONDSWITCH is a 1 byte nop, not variable length with the same kind
of immediate operand as JSOP_LOOKUPSWITCH (which is useless except for
decompilation). New scheme uses SRC_COMMA notes on each JSOP_CASE opcode,
usually 2 bytes per note, and a typically-1-byte 2nd offset on SRC_SWITCH:
1 + 2 * ncases
vs. the previous JSOP_LOOKUPSWITCH immediate, which consumed:
4 * ncases
bytes after the switch opcode just for decompilation.
- SRC_SWITCH has two offsets, first to end of switch as before, the second
to first case if JSOP_CONDSWITCH, for decompilation.
- Optimize switches with all-constant cases using JSOP_TABLESWITH, or if
that can't be used, JSOP_LOOKUPSWITCH, before falling back on ECMAv2's
JSOP_CONDSWITCH.
- Use cx->gcDisabled when evaluating case exprs at compile time for old,
pre-ECMAv2 switches, to prevent branch-callback-based GC invocations
from ripping apart the unrooted temporary script for each case expr.
- Fixed up stale SRC_SWITCH comments in jsemit.h.
jsemit.c jsemit.h
- TREE_CONTEXT_INIT to match ATOM_LIST_INIT, not English word order.
- Reorganized JSCodeGenerator to sort of match argument order to
js_InitCodeGenerator.
- Got rid of confusing CG_RESET* macros and used memset(cg, 0, sizeof *cg)
and non-zero-default init in js_InitCodeGenerator. js_ResetCodeGenerator
just releases the code and temp arena pools and leaves the cg in a state
where it must be re-initialized (as before, but more obvious).
- In the same spirit, don't do partial "resets" or src and trynotes in their
js_FinishTaking*Notes functions -- those are friends of jsscript.c and are
not general, idempotent functions.
jsapi.c jsapi.h jsarray.c jsatom.c jsatom.h jscntxt.c jsemit.c jsmsg.def
jsnum.c jsobj.c jsopcode.c jsregexp.c jsscan.c jsstr.c jsxdrapi.
- Use PR_snprintf rather than sprintf always, so we don't have to worry
about systems with 64-bit longs that overflow 12-byte buffers and open
Morris-Worm-type security holes.
- Trim extra spaces, fix hanging indentation, and similar anal retention.
- Renamed JSMSG_BAD_PROTO_SORT to JSMSG_BAD_SORT_ARG cuz that's what it
is complaining about.
- SRC_CATCHGUARD still lived in comments, but it's SRC_CATCH in code.
jscntxt.c jscntxt.h jsinterp.c
- Packed nearby JSPackedBools and added a new one: gcDisabled, for use by
jsemit.c's pre-ECMAv2 switch case expr eval.
- Rip out old js_InterpreterHooks stuff from original liveconnect (moja).
- Remove javaData and savedErrors from JSContext. Leaving it to fur or
shaver to remove javaData from jsscript.h.
word neologism, not two words.
- Use consistent neighboring terseness ("error" rather than "err" in intercaps
identifiers).
- Don't leave pointers in JSErrorReport to freed memory if bailing on OOM in
jscntxt.c:js_ExpandErrorArguments.
- Hanging indentation, code fusion via continue, and other misc. cleanups.
Fixed bug #317398, for loop without condition wasn't decompiling the body
correctly since the first statement in that body was getting eaten by
mistake when trying to consume the condition expression.
call, and experimented with copying the original JSErrorReport into
private data. Much of this to support a toString method for exception
objects.
It's not polished, but I wanted to get toString available quickly.
the compile-error reporting mechanism,
providing a way to associate exceptions
(very likely SyntaxError exceptions)
with compile-time errors.
(Hopefully this is temporary, as I'd
prefer one central place in the
error-reporting process to put the
js_ErrorToException call.)
Also changed the error reporter in js.c
to only ignore error reports marked with
the JSREPORT_EXCEPTION advisory flag when
the error occurs during javascript execution.
If it's at the toplevel compilation
level, then the error is still reported
(and the exception discarded.)
The api is feeling slightly dirtier, but
it still seems like the best
compromise...
enum JSErrNum, and changed a uintN
errorNumber declaration to JSErrNum.
It'd be nice to change the uintN
errorNumber field in JSErrorReport to
JSErrNum, but it's not clear that
JSErrNum is or should be exposed in the
API. Any C esthetes want to offer their
opinions?
It made my debugger slightly happier.
Including:
Preliminary work on internationalizing error messages
Preliminary work on exposing runtime errors as catchable exceptions
ECMA-proposed throw and try/catch/finally, with multiple catch clauses
and catchguards
ECMA-proposed in/instanceof operators
IEEE-conformant number to string conversion
Fixes and other good stuff.
the compiler to puhleeze let us used denormalized floating point
values, as required by the ECMA spec. Thanks to various contributors,
including Torsten R�ger <torsten@ponton-hamburg.de>, for working on
numeric issues. Fix courtesy wtc.
and development branches, including but
not limited to:
- Preliminary exception handling per
ECMA proposal; try, multiple
catchblocks, and finally. Catchblocks
are of the form catch (v) or
catch(v:<guard>), where guard is an
optional boolean expression that is
evaluated to determine whether the
exception is to be caught by that block.
- ECMA-proposed 'in' operator; "'foo' in
o" or "4 in o" asks if o has property
foo or element 4.
- Added a new set of defines in
jsconfig.h for js 1.4
features-in-progress. (in, instanceof,
exception handling.) Default build
version is now 1.4. Fixed a few
conditional features that had become
broken.
- Progress towards porting to FreeBSD
and Alpha; casts of NaN and friends to
int are a little more localized. Not
there yet...
- New config files to compile on more
OSes; various fixes to improve
portability.
development branch:
- Preliminary exception handling per
ECMA proposal; try, multiple
catchblocks, and finally. Catchblocks
are of the form catch (v) or
catch(v:<guard>), where guard is an
optional boolean expression that is
evaluated to determine whether the
exception is to be caught by that block.
- ECMA-proposed 'in' operator; "'foo' in
o" or "4 in o" asks if o has property
foo or element 4.
- Added a new set of defines in
jsconfig.h for js 1.4
features-in-progress. (in, instanceof,
exception handling.) Default build
version is now 1.4. Fixed a few
conditional features that had become
broken.
- Progress towards porting to FreeBSD
and Alpha; casts of NaN and friends to
int are a little more localized. Not
there yet...
- New config files to compile on more
OSes; various fixes to improve
portability.
compiler extension, and we want to be able to turn off compiler
extensions for osf. And longs are long long there anyway.
Propagated from nspr, courtesy wtc.
'in' keyword as an operator in the init clause of for loops; this
disambiguates for/in loop parsing. (Previously, there was some
treenode examination magic going on.) Per recent ECMA submission.
cast until after the double in question has been determined to be
finite, not NaN, etc. This may make the code a little more XP for
platforms like BSD and Alpha Linux that don't like casting strange
values to int. Thanks go to Uncle George <gatgul@voicenet.com> and
hankin <hankin@consultco.com> for their porting work.
+ Changed the way JS wrapper functions for Java instance methods are constructed.
Previously, these were computed the first time that an instance method was
accessed for a particular JavaObject and cached in the native, private portion
of that JavaObject. However, the required call to JS_AddRoot() causes an root
to appear as a link in a cyclical graph, leading to uncollectible objects, i.e.
the JavaObject has a root pointer to the function object and the function has
a parent that points back to the JavaObject. Now, we compute the functions
at the time a class is reflected and use JS_CloneFunctionObject() each time
a JS wrapper function is needed, which is slower, but avoids this GC problem.