Closed
Bug 723773
Opened 12 years ago
Closed 12 years ago
Liveness analysis makes mistakes when analyzing try/catch
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla13
| Tracking | Status | |
|---|---|---|
| firefox11 | --- | unaffected |
| firefox12 | --- | affected |
| firefox13 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: billm, Assigned: billm)
References
Details
(Keywords: regression, Whiteboard: [advisory-tracking+])
Attachments
(1 file)
|
4.02 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
This was basically a mistake over the meaning of some arguments to the Lifetime constructor, I think. The fix is simple. Most of the work of writing this patch was in figuring out the meaning of the savedEnd field, so I tried to improve the comment describing it. Let me know if you have any ideas for this. I don't understand precisely how the JIT uses this information, so I decided to be conservative and close the bug.
Attachment #594024 -
Flags: review?(bhackett1024)
|
||
Comment 1•12 years ago
|
||
Comment on attachment 594024 [details] [diff] [review] patch Review of attachment 594024 [details] [diff] [review]: ----------------------------------------------------------------- Thanks! ::: js/src/jsanalyze.cpp @@ +1008,5 @@ > + * > + * Each time we create a Lifetime, we store the start of the most recently > + * seen sequence of conditional code in the Lifetime's savedEnd field. So, > + * when creating the Lifetime at #2, we set the Lifetime's savedEnd to > + * #5. (The most start of the most recent conditional is cached in each rm 'most'
Attachment #594024 -
Flags: review?(bhackett1024) → review+
|
Assignee | |
Comment 2•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/0d2ab3f2e9b9
Target Milestone: --- → mozilla13
|
||
Comment 3•12 years ago
|
||
From philor: Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/71f5bf4df2f6 - one of the six in that push was crashing in js::gc::Mark<JSString>
|
|
||
Updated•12 years ago
|
Target Milestone: mozilla13 → ---
|
|
Assignee | |
Comment 4•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/3d8b2998c103
Target Milestone: --- → mozilla13
|
|
Assignee | |
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3d8b2998c103
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
||
Updated•12 years ago
|
status-firefox13:
--- → fixed
|
||
Comment 6•12 years ago
|
||
regression from bug 714645 which landed in Firefox 12 so we don't have to worry about ESR. Not sure if this is serious enough to warrant fixing on the beta branch.
Blocks: 714645
status-firefox-esr10:
--- → unaffected
status-firefox11:
--- → unaffected
status-firefox12:
--- → affected
Keywords: regression
|
||
Comment 7•12 years ago
|
||
What security rating should be attached to this issue?
|
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•