Closed Bug 1137012 Opened 9 years ago Closed 8 years ago

Stuck script dialog on a video player SWF

Categories

(Firefox Graveyard :: Shumway, defect)

Product:
Firefox Graveyard
Component:
Shumway
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: bugs, Assigned: till)

References

(
URL
)

Details

+++ Initially filed via the problem reporting functionality in Shumway +++
Please add any further information that you deem helpful here:

http://blog.sfgate.com/stew/2015/02/25/fake-monks-are-using-the-bracelet-scam-in-san-francisco/

Video player on this page generates stuck script dialog.

----------------------

Technical Information:
Firefox version: 39.0a1 (20150225030226)
Shumway version: 0.10.182 (0195a96) extension
Hmm, yes. We're landing in an iloop in a function that looks like this:

function Random$BgnextBytes_2519085536 (A, B) {
var v15,v14,v17,v23,v42,v49,$L;
var $F=$$F1476,$C=$$F1476.constants;
v15=new Scope($C[0],this,false);
v14=B|0;
v17=v14;
while(true){{
v23=1-(v17|0);
if(v17){{
v42=v15.object.m$BgnextByte();
v49=A.m$BgwriteByte(v42);
v17=v23;
$L=1;
continue;}}else{{
$L=0;
break;}}}}return undefined;
}

Much of this is irrelevant, so here's a cleaned-up version:

var v17 = 16;
var v23;

while (true) {
v23 = 1 - v17;
if (v17) {
  v17=v23;
  continue;
} else
  break;
}


For comparison, here's the bytecode for the function:

function nextBytes(flash.utils::ByteArray,int):void  /* disp_id=0 method_id=4304 nameIndex = 3794 */ {
  // local_count=3 max_scope=1 max_stack=2 code_len=27
  // method position=362463 code position=725318
  0        getlocal0
  1        pushscope
  2        jump            L1

  L2:
  6        label
  7        getlocal1
  8        findpropstrict  nextByte //nameIndex = 3795
  11       callproperty    nextByte (0) //nameIndex = 3795
  15       callpropvoid    writeByte (1) //nameIndex = 11479

  L1:
  19       getlocal2
  20       declocal_i      2
  22       iftrue          L2
  26       returnvoid
}

The gist is that we do `1 - v17` where we should do `v17 - 1`. How this can happen, I don't know. Pretty bad, though.

Still, probably nothing we should work on fixing, seeing as how we're about to remove the compiler that creates this mess. I don't think the baseline compiler will have the same issue.
Shumway is miscompiling a script, but we plan to remove this compiler before shipping.
Blocks: shumway-m3
Marking for later verification.
Blocks: shumway-m4
No longer blocks: shumway-m3
Assignee: nobody → schneider
Tobias says the originally reported error is no longer a problem, but there are now other problems.
`var type = parentScope.getScopeProperty("_-W", ..)` is `undefined` in src/avm2/int.ts:147, which leads to a following `type.axCoerce(..)` throwing an exception.
Assignee: schneider → till
Product: Firefox → Firefox Graveyard
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.