Closed Bug 416354 Opened 16 years ago Closed 16 years ago

Missing SAVE_SP_AND_PC in JSOP_NEG

Categories

(Core :: JavaScript Engine, defect, P1)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla1.9beta4

People

(Reporter: igor, Assigned: igor)

Details

(Keywords: verified1.8.1.13, Whiteboard: [sg:critical?])

Attachments

(2 files)

v1
1.14 KB, patch
brendan
: review+
dveditz
: approval1.8.1.13+
brendan
: approval1.9+
Details | Diff | Splinter Review
js1_5/extensions/regress-416354.js
2.56 KB, text/plain
Details 
JSOP_NEG in the interpreter calls js_NewNumberValue without calling SAVE_SP_AND_PC when the top of the stack is a double value. This leads to a GC hazard as the following example demonstrates:

~/m/ff/mozilla/js/src $ cat ~/m/y.js
function f(a, b, c)
{
    return (-a) * ((-b) * (-c));
}

var expect = f(1.5, 1.25, 1.125);
gczeal(2);
var actual = f(1.5, 1.25, 1.125);
if (actual !== expect)
    throw "GC hazard, expect="+expect+" actual="+actual;
~/m/ff/mozilla/js/src $ ./Linux_All_DBG.OBJ/js ~/m/y.js
uncaught exception: GC hazard, expect=-2.109375 actual=-1.58203125
Attached patch v1Splinter Review 
The fix makes sure that SAVE_SP_AND_PC is called at the right moment.
Attachment #302122 - Flags: review?(brendan)
Asking for blocking flags as this is a GC hazard on the trunk and 1.8.1 branch.
Flags: blocking1.9?
Flags: blocking1.8.1.13?
Flags: blocking1.9? → blocking1.9+
Priority: -- → P1
Target Milestone: --- → mozilla1.9beta4
Attachment #302122 - Flags: review?(brendan)
Attachment #302122 - Flags: review+
Attachment #302122 - Flags: approval1.9+
I checked in the patch from comment 1 to the trunk:

http://bonsai.mozilla.org/cvsquery.cgi?module=PhoenixTinderbox&branch=HEAD&cvsroot=%2Fcvsroot&date=explicit&mindate=1202507940&maxdate=1202508086&who=igor%25mir2.org
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: wanted1.8.1.x+
Whiteboard: [sg:critical?]
Flags: blocking1.8.1.13? → blocking1.8.1.13+
Comment on attachment 302122 [details] [diff] [review]
v1

The patch applies to the 181 branch as is.
Attachment #302122 - Flags: approval1.8.1.13?
Comment on attachment 302122 [details] [diff] [review]
v1

approved for 1.8.1.13, a=dveditz for release-drivers
Attachment #302122 - Flags: approval1.8.1.13? → approval1.8.1.13+
Flags: in-testsuite+
Flags: in-litmus-
v
Status: RESOLVED → VERIFIED
I checked in the patch from comment 1 to MOZILLA_1_8_BRANCH:

Checking in jsinterp.c;
/cvsroot/mozilla/js/src/jsinterp.c,v  <--  jsinterp.c
new revision: 3.181.2.96; previous revision: 3.181.2.95
done
Keywords: fixed1.8.1.13
v 1.8.1 linux|mac 10.5
Keywords: fixed1.8.1.13verified1.8.1.13
igor, what should we do with these SAVE_SP_AND_PC on the 1.8.0 branch?
(In reply to comment #10)
> igor, what should we do with these SAVE_SP_AND_PC on the 1.8.0 branch?

The bug does not exist on 1.8.0 branch.

thanks. not a 1.8.0 branch bug.
Flags: blocking1.8.0.15-
Group: security
/cvsroot/mozilla/js/tests/js1_5/extensions/regress-416354.js,v  <--  regress-416354.js
initial revision: 1.1
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: