Last Comment Bug 761473 - IonMonkey: Check & Fix usage of writeSlotHeader in Snapshots.cpp
: IonMonkey: Check & Fix usage of writeSlotHeader in Snapshots.cpp
Status: RESOLVED FIXED
[ion:p1:fx18]
:
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Other Branch
: x86_64 Linux
: -- normal (vote)
: ---
Assigned To: Nicolas B. Pierron [:nbp]
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-06-04 18:30 PDT by Nicolas B. Pierron [:nbp]
Modified: 2012-08-23 23:16 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Snapshots, use the same upper-bound variables. (3.62 KB, patch)
2012-08-23 12:47 PDT, Nicolas B. Pierron [:nbp]
dvander: review+
Details | Diff | Review

Description Nicolas B. Pierron [:nbp] 2012-06-04 18:30:32 PDT
writeSlotHeader assert that each of its argument are under the maximal payload for each value.  Some usage of it are apparently not tested because the assertion does not hold with Register::Invalid.
Comment 1 Nicolas B. Pierron [:nbp] 2012-07-30 11:00:31 PDT
This bug can be triggered by using many allocations such as we don't have enough registers to hold all the values.  When we don't have enough registers, we will fallback to

addSlot(JSValueType type, int32 stackIndex)
addSlot(int32 valueStackSlot)

which are using writeSlotHeader with Register::Invalid and FloatRegister::Invalid (UINT_MAX) instead of MAX_REG_FIELD_VALUE (31).  This should fail an assertion in debug builds and may cause the snapshot reader to read bad values in optimized builds.
Comment 2 Nicolas B. Pierron [:nbp] 2012-08-23 12:47:08 PDT
Created attachment 654745 [details] [diff] [review]
Snapshots, use the same upper-bound variables.
Comment 3 Nicolas B. Pierron [:nbp] 2012-08-23 23:16:28 PDT
https://hg.mozilla.org/projects/ionmonkey/rev/85635d695d12

Note You need to log in before you can comment on or make changes to this bug.