Closed Bug 1501301 Opened 3 years ago Closed 3 years ago

arm64 generateEnterJIT pushes too many arguments

Categories

(Core :: JavaScript Engine: JIT, enhancement)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla65
Tracking Flags:
Tracking Status
firefox65 --- fixed

People

(Reporter: away, Assigned: away)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1501301: Fix the argv loop in aarch64 generateEnterJIT
46 bytes, text/x-phabricator-request
Details | Review 
This loop https://dxr.mozilla.org/mozilla-central/rev/c291143e24019097d087f9307e59b49facaf90cb/js/src/jit/arm64/Trampoline-arm64.cpp#134 repeats while tmp_argc >= 0, which means we actually push tmp_argc+1 arguments.

This leads to crashes on Windows when argv falls exactly at the end of its allocation region and the extra iteration reads from unmapped memory.
The code was looping one too many times.
Assignee: nobody → dmajor
Pushed by dmajor@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/57e435f97c30
Fix the argv loop in aarch64 generateEnterJIT r=sstangl
https://hg.mozilla.org/mozilla-central/rev/57e435f97c30
Status: NEW → RESOLVED
Closed: 3 years ago
status-firefox65: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in before you can comment on or make changes to this bug.