Closed Bug 657524 Opened 14 years ago Closed 13 years ago

Audit jsopcode.cpp for use of *pc that doesn't take traps into account

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: jruderman, Unassigned)

Details

I keep hitting non-deterministic assertions in the decompiler when fuzzing with trap(). For example, I've hit all of these on 64-bit Mac: LOCAL_ASSERT(*pc == JSOP_GOTO || *pc == JSOP_GOTOX); LOCAL_ASSERT(tail + GetJumpOffset(pc+tail, pc+tail) == pc2 - pc); LOCAL_ASSERT(sn && SN_TYPE(sn) == SRC_SWITCH); The testcases tend to involve long functions (>100 bytes of bytecode) and resist reduction or even reproduction. Brendan thinks the best course is to audit jsopcode.cpp (which includes the decompiler) for uses of *pc that won't do the right thing with traps. Then I can fuzz more and see if I still hit the yucky non-determinism.
Whichever bug and hacker removed js_GetTrapOpcode fixed this for you, methinks. \o/ Too lazy to search for it, someone else can if they care.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
> Whichever bug and hacker removed js_GetTrapOpcode fixed this for you, > methinks. \o/ Too lazy to search for it, someone else can if they care. Bug 707454 removed JSOP_TRAP.
You need to log in before you can comment on or make changes to this bug.