Closed Bug 811111 Opened 12 years ago Closed 12 years ago

IonMonkey: Bailout and InvalidationBailout shoud use AssertNoGC.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
19 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: nbp, Assigned: nbp)

Details

(Whiteboard: [ion:t][js:t])

Attachments

(1 file)

Ensure that no GC happen during bailouts.
9.51 KB, patch
terrence
: review+
Details | Diff | Splinter Review 
We cannot GC inside a bailout because we have no simple way to mark the bailing frame.  Being able to GC might GC a pointer only accessible in the bailed frames, which would then cause a crash if used by the interpreter after the bailout.

Mark this bug as s-s as it might be a source of crash.  If changes have to be made to the allocation mechanism done in these paths, we should consider back-porting these to fx18 and older.
Currently flagged as sec-critical as it might be a potential source of failure.
Keywords: sec-critical
This bug is investigative. It is not s-s.
Group: core-security
Keywords: sec-critical
Whiteboard: [ion:t] → [ion:t][js:t]
Group: core-security
At first sight it seems that Stack functions that are used by the Bailouts are always asserting that they can GC, but this is not the case when report is set to DONT_REPORT_ERROR.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
This patch replace AssertCanGC() by AutoAssertNoGC in bailouts functions and ensure that Stack frame manipulation function are only asserting that a GC can happen if the report flag is not set to DONT_REPORT_ERROR.
Attachment #688988 - Flags: review?(terrence)
Comment on attachment 688988 [details] [diff] [review]
Ensure that no GC happen during bailouts.

Review of attachment 688988 [details] [diff] [review]:
-----------------------------------------------------------------

R+ with the nit addressed in all places.

::: js/src/vm/Stack-inl.h
@@ +386,5 @@
>  {
> +    if (report)
> +        AssertCanGC();
> +    else
> +        AutoAssertNoGC nogc;

These guards are only going to live as long as their scope (the else block), so this won't actually have the intended effect.  As Steve pointed out in IRC, our Maybe<T> class should be able to allow you to rewrite these like so:

Maybe<AutoAssertNoGC> maybeNoGC;
if (report)
    AssertCanGC();
else
    maybeNoGC.construct();
Attachment #688988 - Flags: review?(terrence) → review+
Remove s-s flag as we can safely use AutoAssertNoGC in bailouts.

https://hg.mozilla.org/integration/mozilla-inbound/rev/1f3975a90f40
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/1f3975a90f40
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: