Closed
Bug 451657
Opened 17 years ago
Closed 17 years ago
TM: use cx->executingTrace to prevent all js_Interpret re-entry from JITed builtins
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.1
People
(Reporter: brendan, Assigned: brendan)
References
Details
Summary says it all. Only way to be sure of coverage is to centralize the check and propagate a unique exception back to the builtin so it can fail to its guard.
/be
|
Assignee | |
Updated•17 years ago
|
Assignee: general → brendan
|
|
Assignee | |
Comment 1•17 years ago
|
||
I landed an assertion at the top of js_Interpret:
/* We had better not be entering the interpreter from JIT-compiled code. */
JS_ASSERT(!cx->runningJittedCode);
after renaming gcDontBlock to runningJittedCode (agonized over spelling, this is easiest on the eyes ;-).
If anyone sees this assertion botch, please attach a testcase.
/be
Status: NEW → ASSIGNED
|
||
Comment 2•17 years ago
|
||
Isn't that assert hit by the steps to reproduce in bug 451666?
Note that it's not just built-ins. In bug 451666 we're calling a JS resolve hook from inside the tracer code directly, which leads to arbitrary script execution. So just fixing this bug may not fix the other if the fix is limited to builtins.
|
|
Assignee | |
Comment 3•17 years ago
|
||
Yes, the true bug is not limited to built-ins. There are also call-outs from JSOP_ADD, etc., via OBJ_DEFAULT_VALUE, as well as the resolve hook, etc.
Some of these should be made traceable by trampolining back to the interpreter. Others should do a deep abort. That's one reason I kept both bugs around.
/be
|
|
Assignee | |
Comment 4•17 years ago
|
||
Look for the "!cx->runningJittedCode" assertbotch skidmark when marking bugs as dependents.. Dependents should have distinct stacks at least in the line number of the js_Interpret frame nearest top of stack.
/be
Summary: TM: use cx->gcDontBlock to prevent all js_Interpret re-entry from JITed builtins → TM: use cx->gcDontBlock to prevent all js_Interpret re-entry from JITed builtins ("!cx->runningJittedCode" assertion)
|
|
Assignee | |
Comment 5•17 years ago
|
||
Blake and I fixed this:
http://wiki.ecmascript.org/doku.php?id=proposals:hashcodes
I'm going to make bug 451666 be about the trampoline idea for all ops that can call indirectly back into js_Interpret.
/be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Summary: TM: use cx->gcDontBlock to prevent all js_Interpret re-entry from JITed builtins ("!cx->runningJittedCode" assertion) → TM: use cx->executingTrace to prevent all js_Interpret re-entry from JITed builtins
|
|
Assignee | |
Comment 6•17 years ago
|
||
Oops, shouldn't mark fixed until this is in mozilla-central. Blake, any hope of a weekend push? My cable internet is flaking...
/be
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
||
Comment 7•17 years ago
|
||
(In reply to comment #5)
> Blake and I fixed this:
>
> http://wiki.ecmascript.org/doku.php?id=proposals:hashcodes
I think you mean http://hg.mozilla.org/tracemonkey/rev/66ce4cd00877 ?
|
||
Comment 8•17 years ago
|
||
I could push this tomorrow. Others are welcome to jump in if that's not soon enough.
|
|
Assignee | |
Comment 9•17 years ago
|
||
Shaver: oops, thanks -- copy didn't "take", d'oh.
Probably worth a push ahead of the impending tracemonkey landing on m-c, for the nightly build kids' sake.
/be
|
|
Assignee | |
Updated•17 years ago
|
Status: REOPENED → ASSIGNED
|
|
Assignee | |
Comment 10•17 years ago
|
||
Fixed in m-c (tm already):
http://hg.mozilla.org/mozilla-central/rev/66ce4cd00877
/be
Status: ASSIGNED → RESOLVED
Closed: 17 years ago → 17 years ago
Resolution: --- → FIXED
|
||
Updated•17 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
You need to log in
before you can comment on or make changes to this bug.
Description
•