Closed Bug 607659 Opened 9 years ago Closed 9 years ago

js_GetProperty on RegExp.prototype from TraceRecorder can reenter VM, crash

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: luke, Assigned: luke)

Details

(Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Attachments

(1 file)

The RegExp.exec -> test tjit optimization does a js_GetProperty for 'test' on RegExp.prototype.  This is bad since it can cause visible side effects during compilation.  It also kills the current trace recorder which crashes compilation.

  var g = 0;
  Object.defineProperty(RegExp.prototype, 'test', { get:function() { ++g } });
  function f() {
      for (var i = 0; i < 100; ++i)
          /a/.exec('a');
  }
  f();
  assertEq(g, 0);

I think the solution is to do something more like ClassMethodIsNative and use JSObject::nativeLookup.
Attached patch fixSplinter Review
Assignee: general → lw
Status: NEW → ASSIGNED
Attachment #486367 - Flags: review?(jorendorff)
Comment on attachment 486367 [details] [diff] [review]
fix

Looks good. Two nits:

>+JSObject *
>+HasNativeMethod(JSContext *cx, JSObject *obj, jsid methodid, Native native)

Looks like cx is unused in this. Delete it?

This function should assert that obj is native. Better, JSObject::nativeSearch should assert isNative().

r=me with that.
Attachment #486367 - Flags: review?(jorendorff) → review+
(In reply to comment #2)
> Comment on attachment 486367 [details] [diff] [review]
> fix
> 
> Looks good. Two nits:
> 
> >+JSObject *
> >+HasNativeMethod(JSContext *cx, JSObject *obj, jsid methodid, Native native)
> 
> Looks like cx is unused in this. Delete it?

+1

> This function should assert that obj is native. Better, JSObject::nativeSearch
> should assert isNative().

+2 ;-)

/be
Whiteboard: [sg:critical?]
http://hg.mozilla.org/tracemonkey/rev/1a6993e17a93
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
http://hg.mozilla.org/mozilla-central/rev/1a6993e17a93
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.