Open Bug 1405308 Opened 7 years ago Updated 6 months ago

Make assertRecoveredOnBailout fuzzing-safe

Categories

(Core :: JavaScript Engine: JIT, enhancement, P3)

Product:

Component:

Type:

enhancement

Priority:

P3

Severity:

S3

Tracking

()

Status:

NEW

People

(Reporter: nbp, Unassigned)

References

(Blocks 1 open bug)

Details

Nicolas B. Pierron [:nbp]

Reporter

Description

•

7 years ago

assertRecoveredOnBailout is fuzzing unsafe[1] because it checks for an optimization and use MOZ_RELEASE_ASSERT [2] to segv if the optimization did not worked. We should change this option to check the fuzzingSafe boolean [3] in order to only do this MOZ_RELEASEASSERT if fuzzingSafe is false. This way we can let fuzzer re-use the test cases written using assertRecoveredOnBailout as a basis for any mutation fuzzing engine. [1] http://searchfox.org/mozilla-central/rev/a4702203522745baff21e519035b6c946b7d710d/js/src/shell/js.cpp#6726 [2] http://searchfox.org/mozilla-central/rev/a4702203522745baff21e519035b6c946b7d710d/js/src/jit/Recover.cpp#1726 [3] http://searchfox.org/mozilla-central/search?q=fuzzingSafe&path=

Nicolas B. Pierron [:nbp]

Reporter

Updated

•

7 years ago

Priority: -- → P3

Updated

•

2 years ago

Severity: normal → S3

Matthew Gaudet (he/him) [:mgaudet]

Updated

•

6 months ago

Blocks: sm-jits

You need to log in before you can comment on or make changes to this bug.