Closed
Bug 811584
Opened 13 years ago
Closed 13 years ago
Handle lazy functions correctly in all cases in IM and JM
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: till, Assigned: till)
References
Details
(Whiteboard: [js:t])
Attachments
(1 file, 1 obsolete file)
|
8.31 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
No description provided.
Attachment #681317 -
Flags: review?(luke)
|
||
Comment 1•13 years ago
|
||
Comment on attachment 681317 [details] [diff] [review]
v1
Review of attachment 681317 [details] [diff] [review]:
-----------------------------------------------------------------
Could you also add the test files that exercised the crash in JM/IM. Given the immediate NULL-deref, they aren't security sensitive.
::: js/src/methodjit/Compiler.cpp
@@ +4436,5 @@
>
> /* Test if the function is scripted. */
> stubcc.masm.load16(Address(icCalleeData, offsetof(JSFunction, flags)), tmp);
> + Jump isNative = stubcc.masm.branchTest32(Assembler::NonZero, tmp,
> + Imm32(JSFunction::IS_LAZY));
Won't this (and the IM version) branch to the native path for a non-lazy interpreted function?
To use branchTest32, I think we'd want:
INTERPRETED_WITH_SCRIPT = 0x1
LAZY_INTERPRETED = 0x2
and then define
INTERPRETED_MASK = INTERPRETED_WITH_SCRIPT | LAZY_INTERPRETED
Attachment #681317 -
Flags: review?(luke)
|
Assignee | |
Comment 2•13 years ago
|
||
Ugh, I should have known that I'm too tired to really test the patch, sorry.
This version does something slightly different to what you proposed, but to the same effect. Testing confirms the problem you mentioned and that this version fixes it.
Should I roll the patch into the one from bug 791850, now that that one has been backed out?
Assignee: general → tschneidereit
Attachment #681317 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #682070 -
Flags: review?(luke)
|
|
||
Comment 3•13 years ago
|
||
Comment on attachment 682070 [details] [diff] [review]
v2
Review of attachment 682070 [details] [diff] [review]:
-----------------------------------------------------------------
Great! r+, and yes it makes sense to fold this into the other patch.
1. I still don't see the test files attached to the patch.
2. Could you rename branchIfFunctionIsNative to branchIfFunctionDoesNotHaveScript?
::: js/src/jsfun.h
@@ +84,5 @@
>
> /* Possible attributes of an interpreted function: */
> bool isHeavyweight() const { return flags & HEAVYWEIGHT; }
> bool isFunctionPrototype() const { return flags & IS_FUN_PROTO; }
> + bool isLazy() const { return flags & INTERPRETED_LAZY; }
Can this be isInterpretedLazy()?
Attachment #682070 -
Flags: review?(luke) → review+
|
||
Updated•13 years ago
|
Whiteboard: [js:t]
|
|
Assignee | |
Comment 4•13 years ago
|
||
Fix has been merged into attachment 683832 [details] [diff] [review]
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•