Closed
Bug 564937
Opened 15 years ago
Closed 15 years ago
fast iterators shouldn't touch regs.sp[0]
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | beta1+ |
People
(Reporter: luke, Assigned: luke)
References
Details
(Whiteboard: [sg:critical?] fixed-in-tracemonkey [critsmash:patch])
Attachments
(1 file)
|
2.87 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
Stack code shouldn't read/write regs.sp[0] (or anything higher). With bug 540706, these slots may be used by a more-recently-pushed js::CallStack, JSStackFrame, or arg slots. In particular, using regs.sp[0] as the rval of a js_InternalInvoke is bad. The fact that regs.sp[0] is not rooted (and IteratorMore assumes it is) suggests that this is a bug even without the contiguous stack patch.
Attachment #444507 -
Flags: review?(gal)
|
||
Comment 1•15 years ago
|
||
Comment on attachment 444507 [details] [diff] [review]
fix
Tryserver carefully, lots of interpreter and tracer dependencies here, but looks good.
Attachment #444507 -
Flags: review?(gal) → review+
|
||
Comment 2•15 years ago
|
||
Marking sensitive out of an excess of caution; treating unrooted locations as rooted is GC-hazardous.
Group: core-security
Whiteboard: [sg:critical?]
|
|
||
Comment 3•15 years ago
|
||
Comment on attachment 444507 [details] [diff] [review]
fix
Sorry I missed this, should have caught it.
/be
|
|
Assignee | |
Comment 4•15 years ago
|
||
So I did find this:
cx->regs->sp -= fused ? (*orig.pc == JSOP_MOREITER ? 0 : 2) : 1;
in TraceRecorder::checkTraceEnd. Does that have any interaction with the change:
- TRY_BRANCH_AFTER_COND(cond, 0);
+ TRY_BRANCH_AFTER_COND(cond, 1);
in my patch?
|
||
Updated•15 years ago
|
blocking2.0: --- → ?
|
||
Updated•15 years ago
|
blocking2.0: ? → beta1+
|
|
Assignee | |
Comment 5•15 years ago
|
||
Andreas and I looked over the above code and the patch seems fine as is, since the checkTraceEnd call happens before JSOP_MOREITER.
But also CC'ing Gary, perchance to fuzz.
|
|
||
Comment 6•15 years ago
|
||
(In reply to comment #5)
> Andreas and I looked over the above code and the patch seems fine as is, since
> the checkTraceEnd call happens before JSOP_MOREITER.
>
> But also CC'ing Gary, perchance to fuzz.
Patch looks good on 32-bit shells after 12 hours of dedicated fuzz.
|
|
Assignee | |
Comment 7•15 years ago
|
||
Thank you Gary!
http://hg.mozilla.org/tracemonkey/rev/c9138b6a4af4
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
|
|
||
Updated•15 years ago
|
Whiteboard: [sg:critical?] fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey [critsmash:patch]
|
|
||
Comment 8•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
||
Comment 9•14 years ago
|
||
Luke, did this affect 1.9.2? I assume not as bug 540706 did not affect 1.9.2 if I read correctly. Is there any reason to keep this locked?
You need to log in
before you can comment on or make changes to this bug.
Description
•