The problem was that when "w=With()" is executed, the new object "w" is created
such that it shares a scope with Object.prototype. When GC runs and
Object.prototype and "w" are both collected, the test in js_DropObjectMap
currently looks like
if (MAP_IS_NATIVE(map) && ((JSScope *)map)->object == obj)
((JSScope *)map)->object = NULL;
The problem is that MAP_IS_NATIVE is false because the object ops are special
for the With object. Thus map->object is left nonnull and when "w" is collected,
it tries to drop its scope, which causes map->object to be referenced, causing
the null dereference.
Update MAP_IS_NATIVE to include With objects as well.
for trynotes in the current code generator, and grow that space as needed.
- Avoid dividing by a multiple of 3 (JSTryNote is 3 ptrdiff_t's) via (char *)
arithmetic.
and more important, to save a byte of useless note offset, use SRC_CONTINUE
instead of SRC_PCDELTA to annotate JSOP_ENDINIT when there's an extra comma
at the end of an array literal (e.g. [1,2,,]).
tokenstream in Function, to avoid calling malloc at all.
- But do check for malloc failure under PR_ARENA_ALLOCATE (the old call to
JS_malloc was unchecked).
- Don't double-report a scanner error such as illegal character in
Function("a@b", "return a*b")
- Do report a "malformed formal parameter" error in
Function("a,b,", "return a*b")
- Fiddle comments to more precisely rule out the above bugs.
- Switch improvements:
- JSOP_CONDSWITCH is a 1 byte nop, not variable length with the same kind
of immediate operand as JSOP_LOOKUPSWITCH (which is useless except for
decompilation). New scheme uses SRC_COMMA notes on each JSOP_CASE opcode,
usually 2 bytes per note, and a typically-1-byte 2nd offset on SRC_SWITCH:
1 + 2 * ncases
vs. the previous JSOP_LOOKUPSWITCH immediate, which consumed:
4 * ncases
bytes after the switch opcode just for decompilation.
- SRC_SWITCH has two offsets, first to end of switch as before, the second
to first case if JSOP_CONDSWITCH, for decompilation.
- Optimize switches with all-constant cases using JSOP_TABLESWITH, or if
that can't be used, JSOP_LOOKUPSWITCH, before falling back on ECMAv2's
JSOP_CONDSWITCH.
- Use cx->gcDisabled when evaluating case exprs at compile time for old,
pre-ECMAv2 switches, to prevent branch-callback-based GC invocations
from ripping apart the unrooted temporary script for each case expr.
- Fixed up stale SRC_SWITCH comments in jsemit.h.
jsemit.c jsemit.h
- TREE_CONTEXT_INIT to match ATOM_LIST_INIT, not English word order.
- Reorganized JSCodeGenerator to sort of match argument order to
js_InitCodeGenerator.
- Got rid of confusing CG_RESET* macros and used memset(cg, 0, sizeof *cg)
and non-zero-default init in js_InitCodeGenerator. js_ResetCodeGenerator
just releases the code and temp arena pools and leaves the cg in a state
where it must be re-initialized (as before, but more obvious).
- In the same spirit, don't do partial "resets" or src and trynotes in their
js_FinishTaking*Notes functions -- those are friends of jsscript.c and are
not general, idempotent functions.
jsapi.c jsapi.h jsarray.c jsatom.c jsatom.h jscntxt.c jsemit.c jsmsg.def
jsnum.c jsobj.c jsopcode.c jsregexp.c jsscan.c jsstr.c jsxdrapi.
- Use PR_snprintf rather than sprintf always, so we don't have to worry
about systems with 64-bit longs that overflow 12-byte buffers and open
Morris-Worm-type security holes.
- Trim extra spaces, fix hanging indentation, and similar anal retention.
- Renamed JSMSG_BAD_PROTO_SORT to JSMSG_BAD_SORT_ARG cuz that's what it
is complaining about.
- SRC_CATCHGUARD still lived in comments, but it's SRC_CATCH in code.
jscntxt.c jscntxt.h jsinterp.c
- Packed nearby JSPackedBools and added a new one: gcDisabled, for use by
jsemit.c's pre-ECMAv2 switch case expr eval.
- Rip out old js_InterpreterHooks stuff from original liveconnect (moja).
- Remove javaData and savedErrors from JSContext. Leaving it to fur or
shaver to remove javaData from jsscript.h.
word neologism, not two words.
- Use consistent neighboring terseness ("error" rather than "err" in intercaps
identifiers).
- Don't leave pointers in JSErrorReport to freed memory if bailing on OOM in
jscntxt.c:js_ExpandErrorArguments.
- Hanging indentation, code fusion via continue, and other misc. cleanups.
Fixed bug #317398, for loop without condition wasn't decompiling the body
correctly since the first statement in that body was getting eaten by
mistake when trying to consume the condition expression.
call, and experimented with copying the original JSErrorReport into
private data. Much of this to support a toString method for exception
objects.
It's not polished, but I wanted to get toString available quickly.
the compile-error reporting mechanism,
providing a way to associate exceptions
(very likely SyntaxError exceptions)
with compile-time errors.
(Hopefully this is temporary, as I'd
prefer one central place in the
error-reporting process to put the
js_ErrorToException call.)
Also changed the error reporter in js.c
to only ignore error reports marked with
the JSREPORT_EXCEPTION advisory flag when
the error occurs during javascript execution.
If it's at the toplevel compilation
level, then the error is still reported
(and the exception discarded.)
The api is feeling slightly dirtier, but
it still seems like the best
compromise...
enum JSErrNum, and changed a uintN
errorNumber declaration to JSErrNum.
It'd be nice to change the uintN
errorNumber field in JSErrorReport to
JSErrNum, but it's not clear that
JSErrNum is or should be exposed in the
API. Any C esthetes want to offer their
opinions?
It made my debugger slightly happier.
Including:
Preliminary work on internationalizing error messages
Preliminary work on exposing runtime errors as catchable exceptions
ECMA-proposed throw and try/catch/finally, with multiple catch clauses
and catchguards
ECMA-proposed in/instanceof operators
IEEE-conformant number to string conversion
Fixes and other good stuff.
the compiler to puhleeze let us used denormalized floating point
values, as required by the ECMA spec. Thanks to various contributors,
including Torsten R�ger <torsten@ponton-hamburg.de>, for working on
numeric issues. Fix courtesy wtc.
and development branches, including but
not limited to:
- Preliminary exception handling per
ECMA proposal; try, multiple
catchblocks, and finally. Catchblocks
are of the form catch (v) or
catch(v:<guard>), where guard is an
optional boolean expression that is
evaluated to determine whether the
exception is to be caught by that block.
- ECMA-proposed 'in' operator; "'foo' in
o" or "4 in o" asks if o has property
foo or element 4.
- Added a new set of defines in
jsconfig.h for js 1.4
features-in-progress. (in, instanceof,
exception handling.) Default build
version is now 1.4. Fixed a few
conditional features that had become
broken.
- Progress towards porting to FreeBSD
and Alpha; casts of NaN and friends to
int are a little more localized. Not
there yet...
- New config files to compile on more
OSes; various fixes to improve
portability.
development branch:
- Preliminary exception handling per
ECMA proposal; try, multiple
catchblocks, and finally. Catchblocks
are of the form catch (v) or
catch(v:<guard>), where guard is an
optional boolean expression that is
evaluated to determine whether the
exception is to be caught by that block.
- ECMA-proposed 'in' operator; "'foo' in
o" or "4 in o" asks if o has property
foo or element 4.
- Added a new set of defines in
jsconfig.h for js 1.4
features-in-progress. (in, instanceof,
exception handling.) Default build
version is now 1.4. Fixed a few
conditional features that had become
broken.
- Progress towards porting to FreeBSD
and Alpha; casts of NaN and friends to
int are a little more localized. Not
there yet...
- New config files to compile on more
OSes; various fixes to improve
portability.
compiler extension, and we want to be able to turn off compiler
extensions for osf. And longs are long long there anyway.
Propagated from nspr, courtesy wtc.
'in' keyword as an operator in the init clause of for loops; this
disambiguates for/in loop parsing. (Previously, there was some
treenode examination magic going on.) Per recent ECMA submission.
cast until after the double in question has been determined to be
finite, not NaN, etc. This may make the code a little more XP for
platforms like BSD and Alpha Linux that don't like casting strange
values to int. Thanks go to Uncle George <gatgul@voicenet.com> and
hankin <hankin@consultco.com> for their porting work.
+ Changed the way JS wrapper functions for Java instance methods are constructed.
Previously, these were computed the first time that an instance method was
accessed for a particular JavaObject and cached in the native, private portion
of that JavaObject. However, the required call to JS_AddRoot() causes an root
to appear as a link in a cyclical graph, leading to uncollectible objects, i.e.
the JavaObject has a root pointer to the function object and the function has
a parent that points back to the JavaObject. Now, we compute the functions
at the time a class is reflected and use JS_CloneFunctionObject() each time
a JS wrapper function is needed, which is slower, but avoids this GC problem.
return the same Java object, both for efficiency and so that the '=='
operator works as expected in Java when comparing two JSObjects.
However, it is not possible to hold a reference to a Java object without
inhibiting GC of that object, at least not in a way that is portable
to all vendor's JVMs, i.e. a weak reference. So, for now, JSObject identity
is broken.
- Revise exception handling runtime info (now called trynotes a la srcnotes)
for more efficient loop control under JSOP_THROW. Avoid all uses of catch
and throw while at it, to make C++ lusers happy.
- Combine JSStackFrame.exception with rval, and rename
JSStackFrame.exceptPending to be ...throwing.
- Optimize JS_TypeOfValue a bit.
- Name, control flow, whitespace, etc. cleanup.
all element access expressions to strings, e.g. so that obj["3"] and
obj[3] refer to the same property for a JavaArray object.
= Return false when using 'delete' operator on JavaArray objects.
means that we had to switch from using NSPR hash tables to a private version.
The new jsj_hash.c file is derived from plhash.c, but it provides for an additional
argument to be passed to the hash key comparison function. This capability
is used to pass in the JNIEnv pointer.
On shutdown, LiveConnect now removes all references to Java objects and classes,
so that the JVM might be able to GC them.
command' hack - the resolver defined by js.c would get called to look
up 'assign' - and on Irix systems, it would find the 'assign' command
in the current path, and decide to define a function called 'assign'
in the global object that would run the assign command. Then when an
attempt was made to assign a property to the global object, the assign
command would get run, and unexpected behavior followed.
hint of JSTYPE_NUMBER. This is a case that nobody cares about, but it's
used in a LiveConnect test case.
Added more registered Java packages for reduced server-roundtrips. Also,
loosened restrictions on accessing unregistered packages under "java" and
some of the other packages, in case Sun or somebody adds a "java.fooBar"
package.
all enumerated property names as strings, as was the case in JS1.1, instead
of the modern (>=JS1.2) behavior of allowing either string or integer property
names.
These project files were just checked in temporarily and are replaced by the
LiveConnectShell project files located in the js/ref/liveconnect subdirectory.
This new vendor-neutral version of LiveConnect is designed to replace the older
one in the js/jsj directory, which only works with the Netscape JVM. It is part
of the OJI initiative.
There was a check in our mini-nspr against asking the OS time services
what the DST offset was for time 0... but the check didn't do what the
comment said it did. So we got the wrong DST offset for... (drum roll
please) the two seconds on either side of the eve of 1970 GMT.
I have a similar fix ready for prmjtime.c, but I'll wait until the
stability freeze settles down.
Fix 123724 hippo: problems declaring var in an eval statement
This ended up being more complex than I initially thought it would be.
See comments in jsparse.c.
This comment is for checkin of version 1.8: mistakenly gave wrong comment
for that version.
Fix 123724 hippo: problems declaring var in an eval statement
The problem was that Variable() in jsparse.c used the scope from calling
js_FindVariableScope to determine whether or not to convert the operator
to GETVAR, but LookupArgOrVar did not. This caused a mismatched set and
get in the code generated from the eval script due to the presence of the
var in the function frame.
on activation (120172, mlm).
- Use #ifdef CHECK_RETURN_EXPR to hide CheckFinalReturn as well as its calls.
- 80th column tyranny, typedef symmetry, other cosmetics.