Closed
Bug 416354
Opened 17 years ago
Closed 17 years ago
Missing SAVE_SP_AND_PC in JSOP_NEG
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
mozilla1.9beta4
People
(Reporter: igor, Assigned: igor)
Details
(Keywords: verified1.8.1.13, Whiteboard: [sg:critical?])
Attachments
(2 files)
|
1.14 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.8.1.13+
brendan
:
approval1.9+
|
Details | Diff | Splinter Review |
|
2.56 KB,
text/plain
|
Details |
JSOP_NEG in the interpreter calls js_NewNumberValue without calling SAVE_SP_AND_PC when the top of the stack is a double value. This leads to a GC hazard as the following example demonstrates:
~/m/ff/mozilla/js/src $ cat ~/m/y.js
function f(a, b, c)
{
return (-a) * ((-b) * (-c));
}
var expect = f(1.5, 1.25, 1.125);
gczeal(2);
var actual = f(1.5, 1.25, 1.125);
if (actual !== expect)
throw "GC hazard, expect="+expect+" actual="+actual;
~/m/ff/mozilla/js/src $ ./Linux_All_DBG.OBJ/js ~/m/y.js
uncaught exception: GC hazard, expect=-2.109375 actual=-1.58203125
|
Assignee | |
Comment 1•17 years ago
|
||
The fix makes sure that SAVE_SP_AND_PC is called at the right moment.
Attachment #302122 -
Flags: review?(brendan)
|
|
Assignee | |
Comment 2•17 years ago
|
||
Asking for blocking flags as this is a GC hazard on the trunk and 1.8.1 branch.
Flags: blocking1.9?
Flags: blocking1.8.1.13?
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P1
Target Milestone: --- → mozilla1.9beta4
|
|
||
Updated•17 years ago
|
Attachment #302122 -
Flags: review?(brendan)
Attachment #302122 -
Flags: review+
Attachment #302122 -
Flags: approval1.9+
|
|
Assignee | |
Comment 3•17 years ago
|
||
I checked in the patch from comment 1 to the trunk:
http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1202507940&maxdate=1202508086&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Updated•17 years ago
|
Flags: wanted1.8.1.x+
Whiteboard: [sg:critical?]
|
|
||
Updated•17 years ago
|
Flags: blocking1.8.1.13? → blocking1.8.1.13+
|
|
Assignee | |
Comment 4•17 years ago
|
||
Comment on attachment 302122 [details] [diff] [review]
v1
The patch applies to the 181 branch as is.
Attachment #302122 -
Flags: approval1.8.1.13?
|
|
||
Comment 5•17 years ago
|
||
Comment on attachment 302122 [details] [diff] [review]
v1
approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #302122 -
Flags: approval1.8.1.13? → approval1.8.1.13+
|
||
Comment 6•17 years ago
|
||
|
|
||
Updated•17 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
|
|
Assignee | |
Comment 8•17 years ago
|
||
I checked in the patch from comment 1 to MOZILLA_1_8_BRANCH:
Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v <-- jsinterp.c
new revision: 3.181.2.96; previous revision: 3.181.2.95
done
Keywords: fixed1.8.1.13
|
||
Comment 10•17 years ago
|
||
igor, what should we do with these SAVE_SP_AND_PC on the 1.8.0 branch?
|
|
Assignee | |
Comment 11•17 years ago
|
||
(In reply to comment #10)
> igor, what should we do with these SAVE_SP_AND_PC on the 1.8.0 branch?
The bug does not exist on 1.8.0 branch.
|
|
||
Updated•17 years ago
|
Group: security
|
|
||
Comment 13•17 years ago
|
||
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-416354.js,v <-- regress-416354.js
initial revision: 1.1
You need to log in
before you can comment on or make changes to this bug.
Description
•