Closed
Bug 789647
Opened 12 years ago
Closed 12 years ago
Getting different output depending on in newGlobal("same-compartment") vs newGlobal("new-compartment")
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
INVALID
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | unaffected |
| firefox16 | --- | affected |
| firefox17 | - | affected |
| firefox18 | - | affected |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: regression, testcase)
function sandboxResult(code, globalType)
{
var result;
var resultStr = "";
try {
result = evalcx(code, newGlobal(globalType));
if (typeof result != "object") {
resultStr = "" + result;
}
} catch(e) {
}
return resultStr;
}
print(sandboxResult("let(b=mjitChunkLimit(0))gcPreserveCode()"), "same-compartment")
print(sandboxResult("let(b=mjitChunkLimit(0))gcPreserveCode()"), "new-compartment")
shows the following output on js opt shell on m-c changeset 36427d4b2cf6 without any CLI arguments:
undefined same-compartment
new-compartment
Prior to regressing changeset, "undefined" was not output.
Locking s-s because this involves compartments, mjitChunkLimit and gcPreserveCode.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 97470:68c396f305f4
user: Luke Wagner
date: Wed Jun 20 08:57:29 2012 -0700
summary: Bug 755186 - rm JS_NewGlobalObject (r=jorendorff)
|
Reporter | |
Updated•12 years ago
|
Summary: Getting different output depending on compartment → Getting different output depending on in newGlobal("same-compartment") vs newGlobal("new-compartment")
|
||
Comment 1•12 years ago
|
||
Gary, setting aside this bug for the moment, you should know that newGlobal no longer takes an argument any more -- every new global uses a new compartment, and the string argument's ignored. Fuzzers should probably be updated to not supply an argument any more: the implementation of newGlobal doesn't even look at argument count any more. (We should probably do a global search-and-replace to remove all the same/new compartment specifiers, too.)
|
|
Reporter | |
Comment 2•12 years ago
|
||
To remove newGlobal's arguments from the Jesse has that on his to-do.
That said, Jesse's suggestion that the parameters of newGlobal are not needed, is indeed correct. The testcase is now:
function sandboxResult(code, globalType)
{
var result;
var resultStr = "";
try {
result = evalcx(code, newGlobal(globalType));
if (typeof result != "object") {
resultStr = "" + result;
}
} catch(e) {
print(e);
}
return resultStr;
}
print(sandboxResult("mjitChunkLimit(0);gcPreserveCode();"), "")
print(sandboxResult("mjitChunkLimit(0);gcPreserveCode();"), "")
and this produces:
undefined
Error: Can't change chunk limit after gcPreserveCode()
which means this is a bug in jsfunfuzz.
We've added gcPreserveCode into the list of functions to ignore expecting consistent output across iterations.
Opening up.
Group: core-security
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
|
||
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•