Last Comment Bug 414755 - Missing SAVE_SP_AND_PC in STORE_(NUMBER|INT|UINT)
: verified1.8.1.13
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: All All
-- normal (vote)
: ---
Assigned To: Igor Bukanov
: Jason Orendorff [:jorendorff]
Depends on:
  Show dependency treegraph
Reported: 2008-01-29 20:26 PST by Igor Bukanov
Modified: 2008-03-29 16:05 PDT (History)
2 users (show)
dveditz: blocking1.8.1.13+
dveditz: wanted1.8.1.x+
bob: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

v1 (3.62 KB, patch)
2008-01-29 20:33 PST, Igor Bukanov
brendan: review+
dveditz: approval1.8.1.13+
brendan: approval1.9+
Details | Diff | Splinter Review
js1_5/extensions/regress-414755.js (2.58 KB, text/plain)
2008-02-22 03:44 PST, Bob Clary [:bc:]
no flags Details

Description User image Igor Bukanov 2008-01-29 20:26:58 PST
The macros STORE_(NUMBER|INT|UINT) from jsinterp.c do not call SAVE_SP_AND_PC before calling potentially GC-triggering js_NewDoubleValue. This leads to a GC hazard as demonstrated with the following example:

~/m/ff/mozilla/js/src $ cat ~/m/y.js

var expect = f();


var actual = f();

if (expect !== actual)
    throw "Hazard: actual="+actual+" expect="+expect;

function f()
    var a = 1e10;
    var b = 2e10;
    var c = 3e10;
    return (a*2) * ((b*2) * c); 

~/m/ff/mozilla/js/src $ ./Linux_All_DBG.OBJ/js ~/m/y.js
uncaught exception: Hazard: actual=1.44e+42 expect=2.4e+31

Note that so far I was not able to discover a way to get a crash with that. But it can be used to read a memory image of allocated structs.
Comment 1 User image Igor Bukanov 2008-01-29 20:33:25 PST
Created attachment 300249 [details] [diff] [review]

The patch just adds the missing calls to SAVE_SP_AND_PC.
Comment 3 User image Igor Bukanov 2008-02-15 12:40:43 PST
Comment on attachment 300249 [details] [diff] [review]

The patch applies to the 181 branch as is.
Comment 4 User image Daniel Veditz [:dveditz] 2008-02-20 11:23:35 PST
Comment on attachment 300249 [details] [diff] [review]

approved for, a=dveditz for release-drivers
Comment 5 User image Bob Clary [:bc:] 2008-02-22 03:44:33 PST
Created attachment 304953 [details]
Comment 6 User image Bob Clary [:bc:] 2008-02-26 08:23:47 PST
Comment 7 User image Igor Bukanov 2008-02-29 13:19:10 PST
I checked in the patch from comment 1 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision:; previous revision:
Comment 8 User image Bob Clary [:bc:] 2008-03-17 04:54:46 PDT
v 1.8.1 linux|mac
Comment 9 User image Bob Clary [:bc:] 2008-03-29 16:05:27 PDT
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-414755.js,v  <--  regress-414755.js
initial revision: 1.1

Note You need to log in before you can comment on or make changes to this bug.