Closed
Bug 817714
Opened 13 years ago
Closed 13 years ago
IonMonkey: LookupSwitch does not check the result of the allocation of bodies (the FixedList)
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: nbp, Assigned: nbp)
Details
(Keywords: crash, csectype-dos)
Attachments
(1 file)
|
1.26 KB,
patch
|
djvj
:
review+
lsblakk
:
approval-mozilla-aurora-
lsblakk
:
approval-mozilla-beta-
|
Details | Diff | Splinter Review |
This bug might cause a crash in case of OOM of temp objects during the processing of the lookup switch. (which is more frequent than OOMs)
|
Assignee | |
Updated•13 years ago
|
Group: core-security
|
|
Assignee | |
Updated•13 years ago
|
|
||
Updated•13 years ago
|
|
||
Comment 1•13 years ago
|
||
Nicolas - can you give a bit more information about this bug and anticipated user impact? How wide of an issue is this?
|
|
Assignee | |
Comment 2•13 years ago
|
||
This is a OOM on temp objects, I never heard anything related to doing OOM there until yesterday, so I guess this won't be a noticeable user impact, but at the same time this is a one line patch with no implication.
|
|
Assignee | |
Comment 3•13 years ago
|
||
Attachment #688039 -
Flags: review?(kvijayan)
|
||
Updated•13 years ago
|
Attachment #688039 -
Flags: review?(kvijayan) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
|
|
||
Comment 5•13 years ago
|
||
(In reply to Nicolas B. Pierron [:pierron] [:nbp] from comment #2)
> This is a OOM on temp objects, I never heard anything related to doing OOM
> there until yesterday, so I guess this won't be a noticeable user impact,
> but at the same time this is a one line patch with no implication.
Given the lack of known user impact, no need to track. We'd consider an uplift, however.
|
||
Comment 6•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
|
||
Updated•13 years ago
|
status-firefox20:
affected → ---
|
|
Assignee | |
Comment 7•13 years ago
|
||
Comment on attachment 688039 [details] [diff] [review]
Check allocation result in LookupSwitch.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 701963
User impact if declined: Unlikely crashes.
Testing completed (on m-c, etc.): on m-c since 2012-12-04 19:04:10 PST
Risk to taking this patch (and alternatives if risky): Might increase the binary size by a 4 / 5 / 8 bytes, respectively on x86 / x64 / ARM. Hopefully IonMonkey can still be disabled for B2G builds :)
String or UUID changes made by this patch: N/A
Attachment #688039 -
Flags: approval-mozilla-beta?
Attachment #688039 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 8•13 years ago
|
||
Comment on attachment 688039 [details] [diff] [review]
Check allocation result in LookupSwitch.
This sounds too risky for branches, let's ride the trains instead.
Attachment #688039 -
Flags: approval-mozilla-beta?
Attachment #688039 -
Flags: approval-mozilla-beta-
Attachment #688039 -
Flags: approval-mozilla-aurora?
Attachment #688039 -
Flags: approval-mozilla-aurora-
You need to log in
before you can comment on or make changes to this bug.
Description
•