Closed
Bug 811111
Opened 12 years ago
Closed 12 years ago
IonMonkey: Bailout and InvalidationBailout shoud use AssertNoGC.
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: nbp, Assigned: nbp)
Details
(Whiteboard: [ion:t][js:t])
Attachments
(1 file)
9.51 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
We cannot GC inside a bailout because we have no simple way to mark the bailing frame. Being able to GC might GC a pointer only accessible in the bailed frames, which would then cause a crash if used by the interpreter after the bailout. Mark this bug as s-s as it might be a source of crash. If changes have to be made to the allocation mechanism done in these paths, we should consider back-porting these to fx18 and older.
Assignee | ||
Comment 1•12 years ago
|
||
Currently flagged as sec-critical as it might be a potential source of failure.
Keywords: sec-critical
Comment 2•12 years ago
|
||
This bug is investigative. It is not s-s.
Updated•12 years ago
|
Group: core-security
Assignee | ||
Comment 3•12 years ago
|
||
At first sight it seems that Stack functions that are used by the Bailouts are always asserting that they can GC, but this is not the case when report is set to DONT_REPORT_ERROR.
Assignee: general → nicolas.b.pierron
Status: NEW → ASSIGNED
Assignee | ||
Comment 4•12 years ago
|
||
This patch replace AssertCanGC() by AutoAssertNoGC in bailouts functions and ensure that Stack frame manipulation function are only asserting that a GC can happen if the report flag is not set to DONT_REPORT_ERROR.
Attachment #688988 -
Flags: review?(terrence)
Comment 5•12 years ago
|
||
Comment on attachment 688988 [details] [diff] [review] Ensure that no GC happen during bailouts. Review of attachment 688988 [details] [diff] [review]: ----------------------------------------------------------------- R+ with the nit addressed in all places. ::: js/src/vm/Stack-inl.h @@ +386,5 @@ > { > + if (report) > + AssertCanGC(); > + else > + AutoAssertNoGC nogc; These guards are only going to live as long as their scope (the else block), so this won't actually have the intended effect. As Steve pointed out in IRC, our Maybe<T> class should be able to allow you to rewrite these like so: Maybe<AutoAssertNoGC> maybeNoGC; if (report) AssertCanGC(); else maybeNoGC.construct();
Attachment #688988 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 6•12 years ago
|
||
Remove s-s flag as we can safely use AutoAssertNoGC in bailouts. https://hg.mozilla.org/integration/mozilla-inbound/rev/1f3975a90f40
Group: core-security
Comment 7•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/1f3975a90f40
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in
before you can comment on or make changes to this bug.
Description
•