Closed Bug 657524 Opened 13 years ago Closed 12 years ago

Audit jsopcode.cpp for use of *pc that doesn't take traps into account

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

Details

I keep hitting non-deterministic assertions in the decompiler when fuzzing with trap(). For example, I've hit all of these on 64-bit Mac:

LOCAL_ASSERT(*pc == JSOP_GOTO || *pc == JSOP_GOTOX);

LOCAL_ASSERT(tail + GetJumpOffset(pc+tail, pc+tail) == pc2 - pc);

LOCAL_ASSERT(sn && SN_TYPE(sn) == SRC_SWITCH);

The testcases tend to involve long functions (>100 bytes of bytecode) and resist reduction or even reproduction.

Brendan thinks the best course is to audit jsopcode.cpp (which includes the decompiler) for uses of *pc that won't do the right thing with traps.  Then I can fuzz more and see if I still hit the yucky non-determinism.
Whichever bug and hacker removed js_GetTrapOpcode fixed this for you, methinks.  \o/  Too lazy to search for it, someone else can if they care.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
> Whichever bug and hacker removed js_GetTrapOpcode fixed this for you,
> methinks.  \o/  Too lazy to search for it, someone else can if they care.

Bug 707454 removed JSOP_TRAP.
You need to log in before you can comment on or make changes to this bug.