Closed
Bug 453565
Opened 16 years ago
Closed 16 years ago
JSOP_IN's record method (and others) need to null-guard JSVAL_OBJECT-mapped types to prevent crashes [@ js_HasNamedProperty]
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla1.9.1b2
People
(Reporter: brendan, Assigned: gal)
Details
(Keywords: crash, fixed1.9.1)
Crash Data
Attachments
(1 file)
|
1.23 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
We do not distinguish null from object types for a value v, since both have JSVAL_TAG(v) of 0. We abort in JSOP_IN's record method if rval is primitive, but that does not ensure it won't be null at runtime, on trace. Should we distinguish null from object type? That, or emit a not-null guard. Coments? /be
|
Assignee | |
Comment 1•16 years ago
|
||
If we insert a dummy guard that forces all values on the stacks to be written out, we could catch the SIGSEGV instead of an actually NULL-pointer check.
|
||
Updated•16 years ago
|
Keywords: crash
Summary: JSOP_IN's record method (and others) need to null-guard JSVAL_OBJECT-mapped types → JSOP_IN's record method (and others) need to null-guard JSVAL_OBJECT-mapped types to prevent crashes [@ js_HasNamedProperty]
|
Reporter | |
Comment 2•16 years ago
|
||
Probably we want null checks in the builtins for now. I think Andreas was warming up to null as distinct mapped type but that will take more work. /be
|
|
||
Comment 3•16 years ago
|
||
arithfuzz hits this if I turn on some type-instability testing code.
|
|
Assignee | |
Comment 4•16 years ago
|
||
Can't test this well since it throws a type error, so no test case for trace-tests.js
Assignee: brendan → gal
Attachment #348662 -
Flags: review?(danderson)
|
||
Updated•16 years ago
|
Attachment #348662 -
Flags: review?(danderson) → review+
|
|
Assignee | |
Comment 5•16 years ago
|
||
Fixed in TM. http://hg.mozilla.org/tracemonkey/rev/94a601112ceb
Flags: blocking1.9.1?
Priority: -- → P1
Target Milestone: mozilla1.9.1b1 → mozilla1.9.1b2
|
||
Comment 6•16 years ago
|
||
Fixed in the merge pushed by vlad on Nov 18 14:11:14 2008 -0800: http://hg.mozilla.org/mozilla-central/rev/e8ed5d4bf531
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: blocking1.9.1? → blocking1.9.1+
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
|
|
||
Updated•16 years ago
|
Keywords: fixed1.9.1
|
||
Updated•13 years ago
|
Crash Signature: [@ js_HasNamedProperty]
You need to log in
before you can comment on or make changes to this bug.
Description
•