Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Missing SAVE_SP_AND_PC in JSOP_NEG

VERIFIED FIXED in mozilla1.9beta4

Status

()

Core
JavaScript Engine
P1
normal
VERIFIED FIXED
10 years ago
9 years ago

People

(Reporter: Igor Bukanov, Assigned: Igor Bukanov)

Tracking

({verified1.8.1.13})

unspecified
mozilla1.9beta4
verified1.8.1.13
Points:
---
Bug Flags:
blocking1.9 +
blocking1.8.1.13 +
wanted1.8.1.x +
blocking1.8.0.next -
in-testsuite +
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?])

Attachments

(2 attachments)

(Assignee)

Description

10 years ago
JSOP_NEG in the interpreter calls js_NewNumberValue without calling SAVE_SP_AND_PC when the top of the stack is a double value. This leads to a GC hazard as the following example demonstrates:

~/m/ff/mozilla/js/src $ cat ~/m/y.js
function f(a, b, c)
{
    return (-a) * ((-b) * (-c));
}

var expect = f(1.5, 1.25, 1.125);
gczeal(2);
var actual = f(1.5, 1.25, 1.125);
if (actual !== expect)
    throw "GC hazard, expect="+expect+" actual="+actual;
~/m/ff/mozilla/js/src $ ./Linux_All_DBG.OBJ/js ~/m/y.js
uncaught exception: GC hazard, expect=-2.109375 actual=-1.58203125
(Assignee)

Comment 1

10 years ago
Created attachment 302122 [details] [diff] [review]
v1

The fix makes sure that SAVE_SP_AND_PC is called at the right moment.
Attachment #302122 - Flags: review?(brendan)
(Assignee)

Comment 2

10 years ago
Asking for blocking flags as this is a GC hazard on the trunk and 1.8.1 branch.
Flags: blocking1.9?
Flags: blocking1.8.1.13?

Updated

10 years ago
Flags: blocking1.9? → blocking1.9+
Priority: -- → P1
Target Milestone: --- → mozilla1.9beta4

Updated

10 years ago
Attachment #302122 - Flags: review?(brendan)
Attachment #302122 - Flags: review+
Attachment #302122 - Flags: approval1.9+
(Assignee)

Comment 3

10 years ago
I checked in the patch from comment 1 to the trunk:

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1202507940&maxdate=1202508086&who=igor%25mir2.org
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Whiteboard: [sg:critical?]
Flags: blocking1.8.1.13? → blocking1.8.1.13+
(Assignee)

Comment 4

10 years ago
Comment on attachment 302122 [details] [diff] [review]
v1

The patch applies to the 181 branch as is.
Attachment #302122 - Flags: approval1.8.1.13?
Comment on attachment 302122 [details] [diff] [review]
v1

approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #302122 - Flags: approval1.8.1.13? → approval1.8.1.13+

Comment 6

10 years ago
Created attachment 304950 [details]
js1_5/extensions/regress-416354.js

Updated

10 years ago
Flags: in-testsuite+
Flags: in-litmus-

Comment 7

10 years ago
v
Status: RESOLVED → VERIFIED
(Assignee)

Comment 8

10 years ago
I checked in the patch from comment 1 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.96; previous revision: 3.181.2.95
done
Keywords: fixed1.8.1.13

Comment 9

10 years ago
v 1.8.1 linux|mac 10.5
Keywords: fixed1.8.1.13 → verified1.8.1.13

Comment 10

10 years ago
igor, what should we do with these SAVE_SP_AND_PC on the 1.8.0 branch?
(Assignee)

Comment 11

10 years ago
(In reply to comment #10)
> igor, what should we do with these SAVE_SP_AND_PC on the 1.8.0 branch?

The bug does not exist on 1.8.0 branch.

Comment 12

9 years ago
thanks. not a 1.8.0 branch bug.
Flags: blocking1.8.0.15-
Group: security

Comment 13

9 years ago
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-416354.js,v  <--  regress-416354.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.