Closed
Bug 761473
Opened 12 years ago
Closed 12 years ago
IonMonkey: Check & Fix usage of writeSlotHeader in Snapshots.cpp
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: nbp, Assigned: nbp)
Details
(Whiteboard: [ion:p1:fx18])
Attachments
(1 file)
3.62 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
writeSlotHeader assert that each of its argument are under the maximal payload for each value. Some usage of it are apparently not tested because the assertion does not hold with Register::Invalid.
Updated•12 years ago
|
Whiteboard: [ion:t
Updated•12 years ago
|
Whiteboard: [ion:t → [ion:t]
Assignee | ||
Comment 1•12 years ago
|
||
This bug can be triggered by using many allocations such as we don't have enough registers to hold all the values. When we don't have enough registers, we will fallback to addSlot(JSValueType type, int32 stackIndex) addSlot(int32 valueStackSlot) which are using writeSlotHeader with Register::Invalid and FloatRegister::Invalid (UINT_MAX) instead of MAX_REG_FIELD_VALUE (31). This should fail an assertion in debug builds and may cause the snapshot reader to read bad values in optimized builds.
Whiteboard: [ion:t] → [ion:p1:fx18]
Assignee | ||
Updated•12 years ago
|
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•12 years ago
|
||
Attachment #654745 -
Flags: review?(dvander)
Updated•12 years ago
|
Attachment #654745 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 3•12 years ago
|
||
https://hg.mozilla.org/projects/ionmonkey/rev/85635d695d12
Assignee | ||
Updated•12 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•