Closed
Bug 622781
Opened 14 years ago
Closed 13 years ago
entry frame Call object can differ between recording and trace
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
WONTFIX
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | - |
People
(Reporter: luke, Unassigned)
References
Details
The tracer assumes that a call object seen at record time is the exact same as seen on trace. This is enforced/documented by guardCallee. There is a loophole however (also the cause of bug 620637 (see comment 3)) in that the identity of the entry frame's scope chain is not guarded upon. This means that setCallProp can write to the call object when it needs to write to the stack:
function outer(b) {
var upvar = 0;
var g = function() {they need to write to /
for (var i = 0; i < 15; ++i)
upvar = 9;
}
if (!b)
return g;
g();
assertEq(upvar, 9); // got 0, expect 9
}
outer(false)();
outer(true);
(Because call objects' reserved slots are initialized to undefined, the analogous test case for callProp always branch exits safely.)
This is rather annoying to fix: either we have to stop depending on the same-call-object-identity property or include scopeChain in fragment lookup.
AFAICS, this is only an unlikely correctness issue, nothing exploitable, since, active or not, call objects always have backing reserved slots which are initialized to undefined. So not nominating for blocking.
|
Reporter | |
Comment 1•14 years ago
|
||
Oops, cut out the "they need to write to /" text in the testcase.
|
||
Comment 2•14 years ago
|
||
Guarding on entry frame scope chain identity looks necessary to me.
/be
|
|
Reporter | |
Comment 3•14 years ago
|
||
Reading TR::traverseScopeChain, it seems that we have logic that is intended to deal with scope chain variance caused by this variance in the entry frame's Call object. IIUC, once we fix this bug by guarding on entry frame scope chain identity, we have a pretty strong invariant and, at first glance, it seems like a lot of TR::traverseScopeChain can be ripped out.
|
|
||
Comment 4•14 years ago
|
||
This blocks a softblocker, nominating. Luke, were you gonna fix this one?
/be
blocking2.0: --- → ?
Whiteboard: softblocker
|
|
Reporter | |
Comment 5•14 years ago
|
||
I hadn't planned on it (until the part about it blocking a softblocker), but I can.
Assignee: general → lw
|
||
Updated•14 years ago
|
blocking2.0: ? → betaN+
|
|
Reporter | |
Comment 6•14 years ago
|
||
The fear is that, by keying traces on the scope chain, we will endlessly record and flush. E.g., this should not constantly record:
for (...)
(function() { eval(''); for (var i = 0; i < 20; ++i) {} })()
The same thing can happen atm for change global shape (just filed bug 627600 on that), but this seems a lot more likely.
This could be fixed with bug 627600 but it still leaves us effectively not recording loops in heavyweight functions which get called repeatedly. Maybe this is rare. Also, we guard on the parent (i.e., entrained scope) of functions called *from* trace, so we are already mostly in this situation.
A more attractive option is to remove all dependencies on the identity of the scope chain (going more the route of traverseScopeChain). The whole area is a bit of a hairball, though. I'll think some more about it; suggestions welcome.
|
|
Reporter | |
Comment 7•14 years ago
|
||
Both options in comment 6 seem risky for FF 4.0 (esp. compared to the relatively small fix in bug 624110), so I'm tentatively proposing that bug 624110 land its patch (after review, of course) and this unblock.
blocking2.0: betaN+ → -
Whiteboard: softblocker
|
|
Reporter | |
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•