Closed
Bug 827659
Opened 11 years ago
Closed 11 years ago
IonMonkey: Differential Testing: Getting different output w/without --ion-eager with byteOffset
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | affected |
| firefox19 | - | affected |
| firefox20 | - | affected |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
| b2g18 | - | affected |
| b2g18-v1.0.1 | --- | affected |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(Keywords: regression, testcase)
Attachments
(1 file, 1 obsolete file)
|
2.65 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
var y;
function f() {
y.byteOffset;
}
for (let j = 0; j < 1; ++j) {
y = new Float32Array();
}
try {
f();
y = 0;
f();
f();
} catch (e) {
print(e);
}
shows no output on js opt shell on m-c changeset 795632f0e4fe without any CLI arguments but shows the following output with --ion-eager:
TypeError: anonymous method called on incompatible number
|
Reporter | |
Comment 1•11 years ago
|
||
Nicolas says in-person that this is likely a security-sensitive bug because it is a type inference issue, assuming sec-critical worse-case first.
Group: core-security
Keywords: sec-critical
|
|
Reporter | |
Comment 2•11 years ago
|
||
Due to skipped revisions, the first bad revision could be any of: changeset: 106484:0a0ecbc48d9a parent: 106483:aa575ceb5fee parent: 97848:1a5d6b1adf31 user: David Anderson date: Thu Jun 28 15:17:18 2012 -0700 summary: Merge from mozilla-central. changeset: 106485:0cb6898fc026 user: David Anderson date: Thu Jun 28 15:19:36 2012 -0700 summary: Fix build.
status-b2g18:
--- → affected
status-firefox-esr10:
--- → unaffected
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-b2g18:
--- → ?
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → ?
|
Assignee | |
Comment 3•11 years ago
|
||
This is bug 798670 again. I don't think it's sec-critical as long as the getters/setters handle this correctly.
|
|
Assignee | |
Comment 4•11 years ago
|
||
Don't optimize getter/setter calls if |this| is not definitely an object. The alternative is to add an MGuardObject, but this is simpler and should be fine, I think.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #699056 -
Flags: review?(bhackett1024)
|
|
Assignee | |
Comment 5•11 years ago
|
||
Thinking abot this more, guarding is probably better. Typesets in typical DOM loops often include null/undefined.
Attachment #699056 -
Attachment is obsolete: true
Attachment #699056 -
Flags: review?(bhackett1024)
Attachment #699070 -
Flags: review?(bhackett1024)
|
||
Updated•11 years ago
|
Attachment #699070 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 8•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/86e85b93cad1
|
|
Assignee | |
Updated•11 years ago
|
Keywords: sec-critical
|
||
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/86e85b93cad1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
|
|
Reporter | |
Comment 10•11 years ago
|
||
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
|
||
Comment 11•11 years ago
|
||
Not s-s, so it's not clear what the user impact is. Please re-nominate if there is significant user impact.
|
||
Comment 14•11 years ago
|
||
Batch edit: Bugs marked status-b2g18: affected after 2/13 branching of v1.0.1 are now also status-b2g18-v1.0.1: affected
status-b2g18-v1.0.1:
--- → affected
You need to log in
before you can comment on or make changes to this bug.
Description
•