The default bug view has changed. See this FAQ.

IonMonkey: Bailouts can corrupt rectifier frames

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: dvander, Assigned: dvander)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

5 years ago
Rectifier frames use their frame descriptor to determine how much stack space to free. However, EnsureExitFrame changes the descriptor size (necessary for stack walking), causing rectifier frames to crash on return.

bug 717297 would fix this for real, in the meantime, this patch adds a new frame type that the stack walker knows how to correct for.
(Assignee)

Comment 1

5 years ago
Created attachment 593286 [details] [diff] [review]
fix

With OSI + this we can run Kraken again.
Attachment #593286 - Flags: review?(christopher.leary)
Attachment #593286 - Flags: review?(christopher.leary) → review+
(Assignee)

Comment 2

5 years ago
http://hg.mozilla.org/projects/ionmonkey/rev/54aff9c15bcd
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.