Roll up and backport fuzz bugs caused by bug 1032869

RESOLVED FIXED in Firefox 36

Status

()

Core
JavaScript Engine
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: shu, Assigned: shu)

Tracking

unspecified
mozilla36
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox35 unaffected, firefox36 fixed, firefox37 unaffected)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Assignee)

Description

4 years ago
Landing bug 1032869 caused a lot of fuzz bugs. I'm going to backport them all at once by rolling them into one patch.

The bugs affected are:
  - bug 1113710
  - bug 1111477
  - bug 1109964
  - bug 1111300
  - bug 1107937
  - bug 1111199
  - bug 1109915
  - bug 1109375
  - bug 1109328
  - bug 1108145
  - bug 1107525
  - bug 1108159
  - bug 1107913
  - bug 1106719
  - bug 1106164
(Assignee)

Comment 1

4 years ago
Created attachment 8540356 [details] [diff] [review]
Rollup of Debugger-go-faster fuzz bugs for Aurora backport

* * *
Bug 1106164 - Fix incorrect use of SnapshotIterator in the in-place

From 1ddf74d05c245f4645ab4921671b775e6bf788fe Mon Sep 17 00:00:00 2001
 debug mode Ion exception bailout. (r=jandem)
* * *
Bug 1106719 - Don't call onExceptionUnwind and onPop debugger hooks

From b2dc1329b121f44e4d49807283a7aceb45fa9cc9 Mon Sep 17 00:00:00 2001
 on OOM. (r=jimb)
* * *
Bug 1107913 - Fix yet another corner case for onExceptionUnwind debug

From c41522f1f6cc0bab5fe4d85f9f16076300c988ad Mon Sep 17 00:00:00 2001
 mode OSR. (r=jandem)
* * *
Bug 1108159 - Fix debuggers sweeping logic for off-thread "debuggee"

From 7412acaf8cc0559223255ff21889488295875e75 Mon Sep 17 00:00:00 2001
 compartments. (r=jimb)
* * *
Bug 1107525 - Fix corner case of in-place debug mode bailout and SPS

From 9729dce1ba6f98766ffbfc0780a512fd25f4c812 Mon Sep 17 00:00:00 2001
 pseudo frame popping. (r=jandem)
* * *
Bug 1108145 - Fix debug mode in-place Ion->Baseline bailout at loop

From 1ff4bb035407450ae95661999b207de0c24b0019 Mon Sep 17 00:00:00 2001
 heads. (r=jandem)
* * *
Bug 1109328 - Fix an OOM case when compiling debug instrumentation in

From 1e53f1996c6e15bb630b5f0385fbf77c79e3f215 Mon Sep 17 00:00:00 2001
 Baseline. (r=jandem)
* * *
Bug 1109375 - Make ICGetProp_Generic clonable for debug mode OSR.

From aaa249d09fb2624cd95a2f705fa6dff1b6cf6e0a Mon Sep 17 00:00:00 2001
 (r=jandem)
* * *
Bug 1109915 - Forward live debug scopes when bailing out with a

From 00b4fb573825e55ae91e133b2f147af5a5220097 Mon Sep 17 00:00:00 2001
 RematerializedFrame. (r=luke)
* * *
Bug 1111199 - Use pcForNativeAddress instead of pcForReturnAddress

From 4c99f79150da57f5612a65bf190b4e7b38174d87 Mon Sep 17 00:00:00 2001
 when doing debug mode OSR during exception handling. (r=jandem)
* * *
Bug 1107937 - Part 1: Move RematerializedFrames from

From 2d820bf5c4c8a60301a9dddfd5fb83036a5ee8c0 Mon Sep 17 00:00:00 2001
 ThreadSafeContext back to JSContext and remove the PJS use case. (r=me)
* * *
Bug 1107937 - Part 2: Correctly rematerialize CallObjects on

From 3d5a8bbff4c80b781bbf605f73243f6ed34eb7b5 Mon Sep 17 00:00:00 2001
 heavyweight function frames. (r=jandem)
* * *
Bug 1107937 - Followup: bring RematerializedFrame::hasCallObj

From a9607199268ab5ab08f5b5b21f1afb619b87d64f Mon Sep 17 00:00:00 2001
 implementation in line with Interpreter and BaselineFrame's. (r=jandem)
* * *
Bug 1111300 - Fix stupid bug miscomputing the number of actual args

From 0b2ab272bbfb2b56f3ae75c6be2b7aa9a1b1c85c Mon Sep 17 00:00:00 2001
 in RematerializedFrames. (r=efaust)
* * *
Bug 1109964 - Recover missing arguments in DebugScopeProxy when the

From 4b43078ae46c827ff1edc7b9fe55a592d42795af Mon Sep 17 00:00:00 2001
 optimized arguments comes from a non-'arguments' slot. (r=luke)
* * *
Bug 1111477 - Always initialize scope chain for bailout to baseline

From fc744d5f78a0925b33f7c48c8d90a6699c3e2b69 Mon Sep 17 00:00:00 2001
 if bailing in-place for debug mode. (r=jandem)
* * *
Bug 1113710 - Don't try to ensure Debugger visibility of

From e6bbfcc8288fd2076bbe998c054043c7a0941405 Mon Sep 17 00:00:00 2001
 about-to-be-finalized scripts. (r=terrence)
(Assignee)

Comment 2

4 years ago
Created attachment 8540363 [details] [diff] [review]
rollup.patch

Approval Request Comment
[Feature/regressing bug #]: bug 1032869
[User impact if declined]: crashes when using the builtin Debugger
[Describe test coverage new/current, TBPL]: on mozilla-central
[Risks and why]: low risk; no changes, just bugfixes
[String/UUID change made/needed]: none
Assignee: nobody → shu
Attachment #8540356 - Attachment is obsolete: true
Attachment #8540363 - Flags: approval-mozilla-aurora?
Attachment #8540363 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/2f714060ef55
Status: NEW → RESOLVED
Last Resolved: 4 years ago
status-firefox35: --- → unaffected
status-firefox36: --- → fixed
status-firefox37: --- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla36
You need to log in before you can comment on or make changes to this bug.