Last Comment Bug 722955 - IonMonkey: Bailouts can corrupt rectifier frames
: IonMonkey: Bailouts can corrupt rectifier frames
Status: RESOLVED FIXED
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: unspecified
: All All
: -- normal (vote)
: ---
Assigned To: David Anderson [:dvander]
:
:
Mentors:
Depends on:
Blocks: 677337
  Show dependency treegraph
 
Reported: 2012-01-31 18:34 PST by David Anderson [:dvander]
Modified: 2012-02-01 01:18 PST (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
fix (8.83 KB, patch)
2012-01-31 18:34 PST, David Anderson [:dvander]
cdleary: review+
Details | Diff | Splinter Review

Description David Anderson [:dvander] 2012-01-31 18:34:02 PST
Rectifier frames use their frame descriptor to determine how much stack space to free. However, EnsureExitFrame changes the descriptor size (necessary for stack walking), causing rectifier frames to crash on return.

bug 717297 would fix this for real, in the meantime, this patch adds a new frame type that the stack walker knows how to correct for.
Comment 1 David Anderson [:dvander] 2012-01-31 18:34:57 PST
Created attachment 593286 [details] [diff] [review]
fix

With OSI + this we can run Kraken again.
Comment 2 David Anderson [:dvander] 2012-02-01 01:18:31 PST
http://hg.mozilla.org/projects/ionmonkey/rev/54aff9c15bcd

Note You need to log in before you can comment on or make changes to this bug.