Closed
Bug 301596
Opened 20 years ago
Closed 20 years ago
js_FilterXMLList leaves fp->spbase NULL due to reuse of frame in nested js_Interpret
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: shaver, Assigned: shaver)
Details
Attachments
(1 file)
|
1.09 KB,
patch
|
shaver
:
review+
shaver
:
approval1.8b4+
|
Details | Diff | Splinter Review |
js_FilterXMLList nests a call to js_Interpret on the current frame.
js_Interpret resets fp->spbase to NULL when it exits, so if you throw after a
filter has run, you will crash trying to work with the stack after we reset it
from spbase.
Testcase:
try {
<xml/>.(@a == 1);
throw 5;
} catch (e) { }
One possible fix is to save off spbase in js_FilterXMLList and restore it in the
out:-labelled basic block. Another would be to make js_Interpret do the saving
and restoring, rather then just NULLing out the frame's spbase. I think I
prefer the latter as a more systematic fix, but, somewhat oddly, I have a patch
to do the former in my local tree.
Brendan: what's your preference?
|
||
Comment 1•20 years ago
|
||
Easily fixed. The fp->spbase setting and clearning in js_Interpret is
necessary to coordinate with the GC when scanning operand stack space owned by
stack frames on each context. Only js_FilterXMLList reuses the top frame to
interpret a part of a script, so only it needs to save and restore fp->spbase.
/be
|
|
||
Updated•20 years ago
|
Attachment #190044 -
Flags: review?(shaver)
|
Assignee | |
Comment 2•20 years ago
|
||
Comment on attachment 190044 [details] [diff] [review]
fix
I put together pretty much the same patch. r+a=shaver.
Attachment #190044 -
Flags: review?(shaver)
Attachment #190044 -
Flags: review+
Attachment #190044 -
Flags: approval1.8b4+
|
|
||
Comment 3•20 years ago
|
||
Fixed, thanks!
/be
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → FIXED
|
|
||
Comment 4•20 years ago
|
||
Shaver pasted a less-reduced testcase in IRC earlier today, and I wanted to show
my modified version of it:
try {
var x = <foo><bar a="1"/><bar a="1"/></foo>;
print(x.bar.(@a == "1").toXMLString());
} catch (e) {
print("fooey: " + e);
}
The changes were to filter x.bar, not x, and to print toXMLString(), not lenth
(sic) or even length. Latter change is just for clearer output. Former is a
necessary change to filter at the right level. Filtering x.* or even x..* would
work too.
/be
|
||
Updated•20 years ago
|
Flags: testcase?
|
|
||
Comment 6•20 years ago
|
||
I just found a fix to this bug's patch, to set spbase early (before the first
goto out) and juggle cosmetics accordingly. Ugh! At least I found it before
1.8b4. I checked it into branch and trunk.
/be
|
|
||
Comment 7•20 years ago
|
||
/cvsroot/mozilla/js/tests/e4x/Regress/regress-301596.js,v <-- regress-301596.js
initial revision: 1.1
Flags: testcase? → testcase+
You need to log in
before you can comment on or make changes to this bug.
Description
•