Closed
Bug 414755
Opened 17 years ago
Closed 17 years ago
Missing SAVE_SP_AND_PC in STORE_(NUMBER|INT|UINT)
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: igor, Assigned: igor)
Details
(Keywords: verified1.8.1.13, Whiteboard: [sg:critical?])
Attachments
(2 files)
3.62 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.13+
brendan
:
approval1.9+
|
Details | Diff | Splinter Review |
2.58 KB,
text/plain
|
Details |
The macros STORE_(NUMBER|INT|UINT) from jsinterp.c do not call SAVE_SP_AND_PC before calling potentially GC-triggering js_NewDoubleValue. This leads to a GC hazard as demonstrated with the following example: ~/m/ff/mozilla/js/src $ cat ~/m/y.js var expect = f(); gczeal(2); var actual = f(); if (expect !== actual) throw "Hazard: actual="+actual+" expect="+expect; function f() { var a = 1e10; var b = 2e10; var c = 3e10; return (a*2) * ((b*2) * c); } ~/m/ff/mozilla/js/src $ ./Linux_All_DBG.OBJ/js ~/m/y.js uncaught exception: Hazard: actual=1.44e+42 expect=2.4e+31 Note that so far I was not able to discover a way to get a crash with that. But it can be used to read a memory image of allocated structs.
Assignee | ||
Comment 1•17 years ago
|
||
The patch just adds the missing calls to SAVE_SP_AND_PC.
Attachment #300249 -
Flags: review?(brendan)
Updated•17 years ago
|
Attachment #300249 -
Flags: review?(brendan)
Attachment #300249 -
Flags: review+
Attachment #300249 -
Flags: approval1.9+
Assignee | ||
Comment 2•17 years ago
|
||
I checked in the patch from comment 1 to the trunk: http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%252Fcvsroot&date=explicit&mindate=1201671180&maxdate=1201671331&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•17 years ago
|
Flags: blocking1.8.1.13?
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Flags: blocking1.8.1.13?
Flags: blocking1.8.1.13+
Whiteboard: [sg:critical?]
Assignee | ||
Comment 3•17 years ago
|
||
Comment on attachment 300249 [details] [diff] [review] v1 The patch applies to the 181 branch as is.
Attachment #300249 -
Flags: approval1.8.1.13?
Comment 4•17 years ago
|
||
Comment on attachment 300249 [details] [diff] [review] v1 approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #300249 -
Flags: approval1.8.1.13? → approval1.8.1.13+
Comment 5•17 years ago
|
||
Updated•17 years ago
|
Flags: in-testsuite+
Assignee | ||
Comment 7•17 years ago
|
||
I checked in the patch from comment 1 to MOZILLA_1_8_BRANCH: Checking in jsinterp.c; /cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c new revision: 3.181.2.95; previous revision: 3.181.2.94 done
Keywords: fixed1.8.1.13
Updated•17 years ago
|
Group: security
Comment 9•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-414755.js,v <-- regress-414755.js initial revision: 1.1
You need to log in
before you can comment on or make changes to this bug.
Description
•