Closed Bug 520539 Opened 15 years ago Closed 15 years ago

The interfacelist from TraitsBindings must contain (at least) ‘self’ so interfaceCapacity must be >= 1.

Categories

(Tamarin Graveyard :: Virtual Machine, defect)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: achicu, Assigned: stejohns)

Details

Attachments

(1 file)

Patch
4.14 KB, patch
edwsmith
: review+
Details | Diff | Splinter Review 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: 

The following callstack creates a new TraitsBindings with interfaceCapacity == 0. Some methods like TraitsBindings::containsInterface or TraitsBindings::addOneInterface use the the following bitMask “const uint32_t bitMask = this->interfaceCapacity – 1”, so tamarin crashes trying to get a cell using quadratic probe.

avmplus::TraitsBindings::TraitsBindings(avmplus::Traits * _owner=0x086e5098, const avmplus::TraitsBindings * _base=0x00000000, avmplus::MultinameHashtable * _bindings=0x0869ef48, unsigned int _slotCount=1, unsigned int _methodCount=0, unsigned int _interfaceCapacity=0)  Line 177    C++
 avmplus::TraitsBindings::alloc(MMgc::GC * gc=0x00196230, avmplus::Traits * _owner=0x086e5098, const avmplus::TraitsBindings * _base=0x00000000, avmplus::MultinameHashtable * _bindings=0x0869ef48, unsigned int slotCount=1, unsigned int methodCount=0, unsigned int interfaceCapacity=0)  Line 277 + 0x3b bytes    C++
>   avmplus::Traits::_buildTraitsBindings(const avmplus::Toplevel * toplevel=0x02808db0, avmplus::AbcGen * abcGen=0x0083db18)  Line 1395 + 0x19 bytes    C++
avmplus::Traits::resolveSignatures(const avmplus::Toplevel * toplevel=0x02808db0)  Line 1611 + 0x10 bytes    C++
avmplus::Traits::newCatchTraits(const avmplus::Toplevel * toplevel=0x02808db0, avmplus::PoolObject * pool=0x03eff860, const unsigned char * traitsPos=0x620755fd, avmplus::String * name=0x027c8b88, avmplus::Namespace * ns=0x027c9048)  Line 774    C++



Reproducible: Always
OS: Mac OS X → All
Hardware: x86 → All
Assignee: nobody → stejohns
Alexandru, can you provide a testcase that demonstrates this? I've never seen it happen.
I do not have an AS3 testcase because the bug reproduces in script profiling, but I think I can explain how to reproduce it in AS3. Basically the external script is calling some AS3 that throws and catches an exception. The AS3 catch block will create a "catch" object. When the "catch" object is seen by the sampler it will try to check its class object in SamplerScript::getType and crash when calls AvmCore::istype.

I think the following should reproduce the issue:

var global_e2:Error;

try {
	throw new Error();
} catch (e:Error) {
	global_e2 = e; // save a reference to the error, so that the sampler will get a live reference when it is triggered
}
Attached patch PatchSplinter Review 
Nice catch. The Sampler is apparently the only code that can call containsInterface() on catch traits.
Attachment #404705 - Flags: review?(edwsmith)
Attachment #404705 - Flags: review?(edwsmith) → review+
pushed as changeset:   2690:9b0f178dc7e6
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Resolved fixed engineering / work item that has been pushed.  Setting status to verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: