matching at empty pattern at end of string. I'm not real confident of
this fix since it removes code that seems to explicitly address the issue,
but it does fix the bug.
The problem was that when "w=With()" is executed, the new object "w" is created
such that it shares a scope with Object.prototype. When GC runs and
Object.prototype and "w" are both collected, the test in js_DropObjectMap
currently looks like
if (MAP_IS_NATIVE(map) && ((JSScope *)map)->object == obj)
((JSScope *)map)->object = NULL;
The problem is that MAP_IS_NATIVE is false because the object ops are special
for the With object. Thus map->object is left nonnull and when "w" is collected,
it tries to drop its scope, which causes map->object to be referenced, causing
the null dereference.
Update MAP_IS_NATIVE to include With objects as well.
for trynotes in the current code generator, and grow that space as needed.
- Avoid dividing by a multiple of 3 (JSTryNote is 3 ptrdiff_t's) via (char *)
arithmetic.
and more important, to save a byte of useless note offset, use SRC_CONTINUE
instead of SRC_PCDELTA to annotate JSOP_ENDINIT when there's an extra comma
at the end of an array literal (e.g. [1,2,,]).
tokenstream in Function, to avoid calling malloc at all.
- But do check for malloc failure under PR_ARENA_ALLOCATE (the old call to
JS_malloc was unchecked).
- Don't double-report a scanner error such as illegal character in
Function("a@b", "return a*b")
- Do report a "malformed formal parameter" error in
Function("a,b,", "return a*b")
- Fiddle comments to more precisely rule out the above bugs.
- Switch improvements:
- JSOP_CONDSWITCH is a 1 byte nop, not variable length with the same kind
of immediate operand as JSOP_LOOKUPSWITCH (which is useless except for
decompilation). New scheme uses SRC_COMMA notes on each JSOP_CASE opcode,
usually 2 bytes per note, and a typically-1-byte 2nd offset on SRC_SWITCH:
1 + 2 * ncases
vs. the previous JSOP_LOOKUPSWITCH immediate, which consumed:
4 * ncases
bytes after the switch opcode just for decompilation.
- SRC_SWITCH has two offsets, first to end of switch as before, the second
to first case if JSOP_CONDSWITCH, for decompilation.
- Optimize switches with all-constant cases using JSOP_TABLESWITH, or if
that can't be used, JSOP_LOOKUPSWITCH, before falling back on ECMAv2's
JSOP_CONDSWITCH.
- Use cx->gcDisabled when evaluating case exprs at compile time for old,
pre-ECMAv2 switches, to prevent branch-callback-based GC invocations
from ripping apart the unrooted temporary script for each case expr.
- Fixed up stale SRC_SWITCH comments in jsemit.h.
jsemit.c jsemit.h
- TREE_CONTEXT_INIT to match ATOM_LIST_INIT, not English word order.
- Reorganized JSCodeGenerator to sort of match argument order to
js_InitCodeGenerator.
- Got rid of confusing CG_RESET* macros and used memset(cg, 0, sizeof *cg)
and non-zero-default init in js_InitCodeGenerator. js_ResetCodeGenerator
just releases the code and temp arena pools and leaves the cg in a state
where it must be re-initialized (as before, but more obvious).
- In the same spirit, don't do partial "resets" or src and trynotes in their
js_FinishTaking*Notes functions -- those are friends of jsscript.c and are
not general, idempotent functions.
jsapi.c jsapi.h jsarray.c jsatom.c jsatom.h jscntxt.c jsemit.c jsmsg.def
jsnum.c jsobj.c jsopcode.c jsregexp.c jsscan.c jsstr.c jsxdrapi.
- Use PR_snprintf rather than sprintf always, so we don't have to worry
about systems with 64-bit longs that overflow 12-byte buffers and open
Morris-Worm-type security holes.
- Trim extra spaces, fix hanging indentation, and similar anal retention.
- Renamed JSMSG_BAD_PROTO_SORT to JSMSG_BAD_SORT_ARG cuz that's what it
is complaining about.
- SRC_CATCHGUARD still lived in comments, but it's SRC_CATCH in code.
jscntxt.c jscntxt.h jsinterp.c
- Packed nearby JSPackedBools and added a new one: gcDisabled, for use by
jsemit.c's pre-ECMAv2 switch case expr eval.
- Rip out old js_InterpreterHooks stuff from original liveconnect (moja).
- Remove javaData and savedErrors from JSContext. Leaving it to fur or
shaver to remove javaData from jsscript.h.
word neologism, not two words.
- Use consistent neighboring terseness ("error" rather than "err" in intercaps
identifiers).
- Don't leave pointers in JSErrorReport to freed memory if bailing on OOM in
jscntxt.c:js_ExpandErrorArguments.
- Hanging indentation, code fusion via continue, and other misc. cleanups.
Fixed bug #317398, for loop without condition wasn't decompiling the body
correctly since the first statement in that body was getting eaten by
mistake when trying to consume the condition expression.
call, and experimented with copying the original JSErrorReport into
private data. Much of this to support a toString method for exception
objects.
It's not polished, but I wanted to get toString available quickly.
the compile-error reporting mechanism,
providing a way to associate exceptions
(very likely SyntaxError exceptions)
with compile-time errors.
(Hopefully this is temporary, as I'd
prefer one central place in the
error-reporting process to put the
js_ErrorToException call.)
Also changed the error reporter in js.c
to only ignore error reports marked with
the JSREPORT_EXCEPTION advisory flag when
the error occurs during javascript execution.
If it's at the toplevel compilation
level, then the error is still reported
(and the exception discarded.)
The api is feeling slightly dirtier, but
it still seems like the best
compromise...