Closed
Bug 635811
Opened 14 years ago
Closed 14 years ago
prevent call objects from escaping on error paths
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | final+ |
People
(Reporter: luke, Assigned: luke)
References
Details
(Whiteboard: [hardblocker] [has patch])
Attachments
(2 files, 1 obsolete file)
|
1.40 KB,
patch
|
Details | Diff | Splinter Review | |
|
8.03 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
Once Invoke/Execute/etc have created the call object for a frame, PutActivationObjects must be called. Currently, this is done in ScriptEpilogue, but if there is an error before ScriptPrologue is called, then ScriptEpilogue is not called. This was the source of bug 634452. I think the fix is just to move the PutActivationObjects call out of ScriptEpilogue and into the frame-popping logic. The tricky part is making sure the mjit/tjit transition code does the right thing. Doing this will also avoid the temporary hack needed to fix bug 635805.
|
Assignee | |
Comment 1•14 years ago
|
||
Ah, gag, thanks Jesse. Bug 635805 is going to fix all this and make this explicit PutActivationObjects business unnecessary, but might as well fix the temporary fix first.
Attachment #514119 -
Flags: review?(gal)
|
|
Assignee | |
Updated•14 years ago
|
Attachment #514119 -
Flags: review?(gal)
|
|
Assignee | |
Comment 3•14 years ago
|
||
Another rare corner case that should be fixed by this patch is that of activation objects not being put in some cases of generator closing.
|
||
Updated•14 years ago
|
Attachment #514119 -
Flags: review+
|
|
Assignee | |
Updated•14 years ago
|
Attachment #514119 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 4•14 years ago
|
||
If I apply this patch (which simply asserts !fp->hasCallObj() on exiting RunScript) I get oodles of failures in the current jit tests. I am going to forgo the beautifying fat stack of patches I was cooking up yesterday in lieu of a simple spot fix which can land for 4.0 (bug 635599 is a final+ hardblocker and a dup of this).
|
|
Assignee | |
Updated•14 years ago
|
blocking2.0: --- → final+
Whiteboard: [hardblocker]
|
|
Assignee | |
Comment 6•14 years ago
|
||
Attachment #514623 -
Flags: review?(dvander)
|
||
Updated•14 years ago
|
Whiteboard: [hardblocker] → [hardblocker] [has patch]
|
|
||
Updated•14 years ago
|
Attachment #514623 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 7•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•