The interfacelist from TraitsBindings must contain (at least) ‘self’ so interfaceCapacity must be >= 1.

VERIFIED FIXED

Status

Tamarin
Virtual Machine
--
major
VERIFIED FIXED
9 years ago
9 years ago

People

(Reporter: Alexandru Chiculita, Assigned: Steven Johnson)

Tracking

Details

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Build Identifier: 

The following callstack creates a new TraitsBindings with interfaceCapacity == 0. Some methods like TraitsBindings::containsInterface or TraitsBindings::addOneInterface use the the following bitMask “const uint32_t bitMask = this->interfaceCapacity – 1”, so tamarin crashes trying to get a cell using quadratic probe.

avmplus::TraitsBindings::TraitsBindings(avmplus::Traits * _owner=0x086e5098, const avmplus::TraitsBindings * _base=0x00000000, avmplus::MultinameHashtable * _bindings=0x0869ef48, unsigned int _slotCount=1, unsigned int _methodCount=0, unsigned int _interfaceCapacity=0)  Line 177    C++
 avmplus::TraitsBindings::alloc(MMgc::GC * gc=0x00196230, avmplus::Traits * _owner=0x086e5098, const avmplus::TraitsBindings * _base=0x00000000, avmplus::MultinameHashtable * _bindings=0x0869ef48, unsigned int slotCount=1, unsigned int methodCount=0, unsigned int interfaceCapacity=0)  Line 277 + 0x3b bytes    C++
>   avmplus::Traits::_buildTraitsBindings(const avmplus::Toplevel * toplevel=0x02808db0, avmplus::AbcGen * abcGen=0x0083db18)  Line 1395 + 0x19 bytes    C++
avmplus::Traits::resolveSignatures(const avmplus::Toplevel * toplevel=0x02808db0)  Line 1611 + 0x10 bytes    C++
avmplus::Traits::newCatchTraits(const avmplus::Toplevel * toplevel=0x02808db0, avmplus::PoolObject * pool=0x03eff860, const unsigned char * traitsPos=0x620755fd, avmplus::String * name=0x027c8b88, avmplus::Namespace * ns=0x027c9048)  Line 774    C++



Reproducible: Always
(Reporter)

Updated

9 years ago
OS: Mac OS X → All
Hardware: x86 → All
(Assignee)

Updated

9 years ago
Assignee: nobody → stejohns
(Assignee)

Comment 1

9 years ago
Alexandru, can you provide a testcase that demonstrates this? I've never seen it happen.
(Reporter)

Comment 2

9 years ago
I do not have an AS3 testcase because the bug reproduces in script profiling, but I think I can explain how to reproduce it in AS3. Basically the external script is calling some AS3 that throws and catches an exception. The AS3 catch block will create a "catch" object. When the "catch" object is seen by the sampler it will try to check its class object in SamplerScript::getType and crash when calls AvmCore::istype.

I think the following should reproduce the issue:

var global_e2:Error;

try {
	throw new Error();
} catch (e:Error) {
	global_e2 = e; // save a reference to the error, so that the sampler will get a live reference when it is triggered
}
(Assignee)

Comment 3

9 years ago
Created attachment 404705 [details] [diff] [review]
Patch

Nice catch. The Sampler is apparently the only code that can call containsInterface() on catch traits.
Attachment #404705 - Flags: review?(edwsmith)

Updated

9 years ago
Attachment #404705 - Flags: review?(edwsmith) → review+
(Assignee)

Comment 4

9 years ago
pushed as changeset:   2690:9b0f178dc7e6
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 5

9 years ago
Resolved fixed engineering / work item that has been pushed.  Setting status to verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.