Closed
Bug 798823
Opened 12 years ago
Closed 12 years ago
Crash [@ js::ion::IonJSFrameLayout::calleeToken] or [@ js::ion::SnapshotIterator::SnapshotIterator]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox15 | --- | unaffected |
firefox16 | --- | unaffected |
firefox17 | --- | unaffected |
firefox18 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [adv-main18-])
Crash Data
Attachments
(2 files)
function g() { switch (0) { default: w = newGlobal(''); } return function(f, code) { try { evalcx(code, w) } catch (e) {} } } function f(code) { h(Function(code), code); } h = g() f("\ x = [];\ y = new Set;\ z = [];\ Object.defineProperty(x, 5, {\ get: (function(j) {}),\ });\ Object.defineProperty(z, 3, {});\ z[9] = 1;\ x.shift();\ "); f("\ z.every(function() {\ x.filter(function(j) {\ if (j) {} else {\ y.add()\ }\ });\ return 2\ })\ "); crashes js debug and opt shell on IonMonkey changeset 9f677c2bb33d with --ion-eager at js::ion::IonJSFrameLayout::calleeToken with js::ion::SnapshotIterator::SnapshotIterator on the stack. s-s and assuming sec-critical because memory address 0x8fff4bb7db28 is being accessed. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 109524:20fe6e539f7f user: Jan de Mooij date: Sat Oct 06 11:38:18 2012 +0200 summary: Bug 797131 part 3 - Add fast path for calling into Ion. r=dvander
Reporter | ||
Comment 1•12 years ago
|
||
I verify that this is not fixed by the patch in bug 798819.
Assignee | ||
Comment 2•12 years ago
|
||
Storing the IonActivation in FastInvokeGuard is dangerous because it may leave rt->ionTop in an invalid state. Since it doesn't actually help performance, this patch just moves the IonActivation to FastInvoke, much nicer and safer and what I should have done in the first place. This patch also enables bug 797131 part 3 again. gkw or decoder, could one of you apply this patch to m-c/m-i tip and see if new crashes/asserts come up? We'd like to enable it before the merge tomorrow, but only if it's stable. Thanks!
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #668893 -
Flags: review?(dvander)
Attachment #668893 -
Flags: feedback?(gary)
Attachment #668893 -
Flags: feedback?(choller)
Updated•12 years ago
|
Attachment #668893 -
Flags: review?(dvander) → review+
Reporter | ||
Comment 3•12 years ago
|
||
Comment on attachment 668893 [details] [diff] [review] Patch Approving based on nothing showing up after 10 minutes of fuzzing, will help to land this on mozilla-inbound.
Attachment #668893 -
Flags: feedback?(gary) → feedback+
Reporter | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d407f51ca61e
Assignee | ||
Comment 5•12 years ago
|
||
Comment on attachment 668893 [details] [diff] [review] Patch Thanks a lot Gary!
Attachment #668893 -
Flags: feedback?(choller)
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d407f51ca61e
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator] → [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator]
Comment 7•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Crash Signature: [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator] → [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator]
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
Whiteboard: [adv-main18-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•