IonMonkey: Differential Testing: Getting different output w/without --ion-eager with byteOffset

VERIFIED FIXED in mozilla21

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks: 2 bugs, {regression, testcase})

Trunk
mozilla21
x86_64
Mac OS X
regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox18 affected, firefox19- affected, firefox20- affected, firefox-esr10 unaffected, firefox-esr17 unaffected, b2g18- affected, b2g18-v1.0.1 affected)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

5 years ago
var y;
function f() {
    y.byteOffset;
}
for (let j = 0; j < 1; ++j) {
    y = new Float32Array();
}
try {
    f();
    y = 0;
    f();
    f();
} catch (e) {
    print(e);
}

shows no output on js opt shell on m-c changeset 795632f0e4fe without any CLI arguments but shows the following output with --ion-eager:

TypeError: anonymous method called on incompatible number
(Reporter)

Comment 1

5 years ago
Nicolas says in-person that this is likely a security-sensitive bug because it is a type inference issue, assuming sec-critical worse-case first.
Group: core-security
Keywords: sec-critical
(Reporter)

Comment 2

5 years ago
Due to skipped revisions, the first bad revision could be any of:
changeset:   106484:0a0ecbc48d9a
parent:      106483:aa575ceb5fee
parent:      97848:1a5d6b1adf31
user:        David Anderson
date:        Thu Jun 28 15:17:18 2012 -0700
summary:     Merge from mozilla-central.

changeset:   106485:0cb6898fc026
user:        David Anderson
date:        Thu Jun 28 15:19:36 2012 -0700
summary:     Fix build.
status-b2g18: --- → affected
status-firefox-esr10: --- → unaffected
status-firefox18: --- → affected
status-firefox19: --- → affected
status-firefox20: --- → affected
status-firefox-esr17: --- → unaffected
tracking-b2g18: --- → ?
tracking-firefox19: --- → ?
tracking-firefox20: --- → ?
(Assignee)

Comment 3

5 years ago
This is bug 798670 again. I don't think it's sec-critical as long as the getters/setters handle this correctly.
(Assignee)

Comment 4

5 years ago
Created attachment 699056 [details] [diff] [review]
Patch

Don't optimize getter/setter calls if |this| is not definitely an object. The alternative is to add an MGuardObject, but this is simpler and should be fine, I think.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #699056 - Flags: review?(bhackett1024)
(Assignee)

Comment 5

5 years ago
Created attachment 699070 [details] [diff] [review]
Patch

Thinking abot this more, guarding is probably better. Typesets in typical DOM loops often include null/undefined.
Attachment #699056 - Attachment is obsolete: true
Attachment #699056 - Flags: review?(bhackett1024)
Attachment #699070 - Flags: review?(bhackett1024)
Not s-s, see comment 3 and bug 819610.
Group: core-security
Attachment #699070 - Flags: review?(bhackett1024) → review+
(Assignee)

Updated

5 years ago
Duplicate of this bug: 798670
(Assignee)

Comment 8

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/86e85b93cad1
(Assignee)

Updated

5 years ago
Keywords: sec-critical
https://hg.mozilla.org/mozilla-central/rev/86e85b93cad1
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
(Reporter)

Comment 10

5 years ago
Testcases have been landed by virtue of being marked in-testsuite+ -> VERIFIED as well.
Status: RESOLVED → VERIFIED
Not s-s, so it's not clear what the user impact is. Please re-nominate if there is significant user impact.
tracking-b2g18: ? → -
tracking-firefox19: ? → -
tracking-firefox20: ? → -
(Assignee)

Updated

5 years ago
Duplicate of this bug: 798668
(Assignee)

Updated

5 years ago
Duplicate of this bug: 825382
Batch edit: Bugs marked status-b2g18: affected after 2/13 branching of v1.0.1 are now also status-b2g18-v1.0.1: affected
status-b2g18-v1.0.1: --- → affected
Blocks: 861947
You need to log in before you can comment on or make changes to this bug.