Closed Bug 564937 Opened 12 years ago Closed 12 years ago
fast iterators shouldn't touch regs
Stack code shouldn't read/write regs.sp (or anything higher). With bug 540706, these slots may be used by a more-recently-pushed js::CallStack, JSStackFrame, or arg slots. In particular, using regs.sp as the rval of a js_InternalInvoke is bad. The fact that regs.sp is not rooted (and IteratorMore assumes it is) suggests that this is a bug even without the contiguous stack patch.
Attachment #444507 - Flags: review?(gal)
Comment on attachment 444507 [details] [diff] [review] fix Tryserver carefully, lots of interpreter and tracer dependencies here, but looks good.
Attachment #444507 - Flags: review?(gal) → review+
Marking sensitive out of an excess of caution; treating unrooted locations as rooted is GC-hazardous.
Comment on attachment 444507 [details] [diff] [review] fix Sorry I missed this, should have caught it. /be
So I did find this: cx->regs->sp -= fused ? (*orig.pc == JSOP_MOREITER ? 0 : 2) : 1; in TraceRecorder::checkTraceEnd. Does that have any interaction with the change: - TRY_BRANCH_AFTER_COND(cond, 0); + TRY_BRANCH_AFTER_COND(cond, 1); in my patch?
Andreas and I looked over the above code and the patch seems fine as is, since the checkTraceEnd call happens before JSOP_MOREITER. But also CC'ing Gary, perchance to fuzz.
(In reply to comment #5) > Andreas and I looked over the above code and the patch seems fine as is, since > the checkTraceEnd call happens before JSOP_MOREITER. > > But also CC'ing Gary, perchance to fuzz. Patch looks good on 32-bit shells after 12 hours of dedicated fuzz.
Thank you Gary! http://hg.mozilla.org/tracemonkey/rev/c9138b6a4af4
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Whiteboard: [sg:critical?] fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey [critsmash:patch]
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Luke, did this affect 1.9.2? I assume not as bug 540706 did not affect 1.9.2 if I read correctly. Is there any reason to keep this locked?
You need to log in before you can comment on or make changes to this bug.