Closed
Bug 798823
Opened 13 years ago
Closed 13 years ago
Crash [@ js::ion::IonJSFrameLayout::calleeToken] or [@ js::ion::SnapshotIterator::SnapshotIterator]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
| Tracking | Status | |
|---|---|---|
| firefox15 | --- | unaffected |
| firefox16 | --- | unaffected |
| firefox17 | --- | unaffected |
| firefox18 | + | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [adv-main18-])
Crash Data
Attachments
(2 files)
function g() {
switch (0) {
default:
w = newGlobal('');
}
return function(f, code) {
try {
evalcx(code, w)
} catch (e) {}
}
}
function f(code) {
h(Function(code), code);
}
h = g()
f("\
x = [];\
y = new Set;\
z = [];\
Object.defineProperty(x, 5, {\
get: (function(j) {}),\
});\
Object.defineProperty(z, 3, {});\
z[9] = 1;\
x.shift();\
");
f("\
z.every(function() {\
x.filter(function(j) {\
if (j) {} else {\
y.add()\
}\
});\
return 2\
})\
");
crashes js debug and opt shell on IonMonkey changeset 9f677c2bb33d with --ion-eager at js::ion::IonJSFrameLayout::calleeToken with js::ion::SnapshotIterator::SnapshotIterator on the stack.
s-s and assuming sec-critical because memory address 0x8fff4bb7db28 is being accessed.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 109524:20fe6e539f7f
user: Jan de Mooij
date: Sat Oct 06 11:38:18 2012 +0200
summary: Bug 797131 part 3 - Add fast path for calling into Ion. r=dvander
|
Reporter | |
Comment 1•13 years ago
|
||
I verify that this is not fixed by the patch in bug 798819.
|
Assignee | |
Comment 2•13 years ago
|
||
Storing the IonActivation in FastInvokeGuard is dangerous because it may leave rt->ionTop in an invalid state. Since it doesn't actually help performance, this patch just moves the IonActivation to FastInvoke, much nicer and safer and what I should have done in the first place.
This patch also enables bug 797131 part 3 again.
gkw or decoder, could one of you apply this patch to m-c/m-i tip and see if new crashes/asserts come up? We'd like to enable it before the merge tomorrow, but only if it's stable. Thanks!
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #668893 -
Flags: review?(dvander)
Attachment #668893 -
Flags: feedback?(gary)
Attachment #668893 -
Flags: feedback?(choller)
|
|
||
Updated•13 years ago
|
Attachment #668893 -
Flags: review?(dvander) → review+
|
|
Reporter | |
Comment 3•13 years ago
|
||
Comment on attachment 668893 [details] [diff] [review]
Patch
Approving based on nothing showing up after 10 minutes of fuzzing, will help to land this on mozilla-inbound.
Attachment #668893 -
Flags: feedback?(gary) → feedback+
|
|
Reporter | |
Comment 4•13 years ago
|
||
|
|
Assignee | |
Comment 5•13 years ago
|
||
Comment on attachment 668893 [details] [diff] [review]
Patch
Thanks a lot Gary!
Attachment #668893 -
Flags: feedback?(choller)
|
||
Comment 6•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator] → [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator]
|
|
||
Comment 7•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
||
Updated•13 years ago
|
Crash Signature: [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator] → [@ js::ion::IonJSFrameLayout::calleeToken]
[@ js::ion::SnapshotIterator::SnapshotIterator]
|
||
Updated•13 years ago
|
status-firefox-esr17:
--- → unaffected
Whiteboard: [adv-main18-]
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•