Closed Bug 544160 Opened 13 years ago Closed 13 years ago

TM: Crash trying to write too many values to a Call object on function return

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: dmandelin, Assigned: dmandelin)

References

Details

Attachments

(1 file)

Attached patch PatchSplinter Review
Spun off from bug 503772 comment 10. 

The problem is that in the tracer, when we flush the values to a Call object on return from a function, if there is an arguments object, we pass argc as the number of argument values to flush. But the function that creates Call objects allocates fun->nargs slots. If the function is called with more arguments than it has formal params, then argc > fun->nargs, and we do an invalid write flushing the values. This corrupts memory, which can lead to crashes in the GC. (The attached test case corrupts memory more, so it crashes right away.)
Attachment #425130 - Flags: review?(dvander)
Blocks: 503772
Attachment #425130 - Flags: review?(dvander) → review+
http://hg.mozilla.org/mozilla-central/rev/0f817ba06787
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.