Closed
Bug 836601
Opened 11 years ago
Closed 11 years ago
Crash [@ ScriptedIndirectProxyHandler::get] or [@ js::Proxy::get]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox20 | --- | unaffected |
firefox21 | --- | fixed |
firefox22 | --- | fixed |
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: crash, regression, testcase, Whiteboard: [fuzzblocker])
Crash Data
Attachments
(3 files)
let k Proxy.createFunction(function() { return { get: Uint32Array } }(), decodeURIComponent) & k crashes js debug and opt shell on m-c changeset 20bbf73921f4 without any CLI arguments at ScriptedIndirectProxyHandler::get with js::Proxy::get on the stack. Does not seem to affect 32-bit Windows js shells, and this seems to be a recursive stack overflow, so likely not s-s.
Reporter | ||
Comment 1•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 119340:9dd844b7152e user: Terrence Cole date: Mon Oct 29 13:36:41 2012 -0700 summary: Bug 803182 - Make the js shell stack limit match the browser's; r=d mandelin I'm not sure if this is entirely correct. Terrence, what do you think?
Blocks: 803182
Flags: needinfo?(terrence)
Updated•11 years ago
|
status-firefox20:
--- → unaffected
status-firefox21:
--- → affected
Assignee | ||
Comment 2•11 years ago
|
||
This doesn't crash for me on linux64 -- the patch in question only changed the js shell in windows, so the browser should be unaffected by this. I don't have a 64bit windows machine to test with.
Flags: needinfo?(terrence)
Reporter | ||
Comment 3•11 years ago
|
||
Putting this on my plate to test when I have time to retest on my Win64 machine.
Flags: needinfo?(gary)
Reporter | ||
Comment 4•11 years ago
|
||
I can still reproduce this. Terrence has taken a look and may have more information to provide.
Flags: needinfo?(gary) → needinfo?(terrence)
Assignee | ||
Comment 5•11 years ago
|
||
Verified on Gary's machine that this is indeed running out of native stack. It appears that the stack depth required to go from Proxy to Proxy in this case is larger than the difference from the artificial to the native stack top and it just happens to line up wrong. The right solution for this is to fix how we allocate stacks and then allocate the same amount of space on all platforms. We should fix this, but given that it is not security sensitive or a fuzz blocker it's not going to be a high priority.
Flags: needinfo?(terrence)
Reporter | ||
Comment 6•11 years ago
|
||
> The right solution for this is to fix how we allocate stacks and then
> allocate the same amount of space on all platforms. We should fix this, but
> given that it is not security sensitive or a fuzz blocker it's not going to
> be a high priority.
Erm, it is, it is a fuzzblocker for Win64. The only workaround is not to fuzz on Win64 as this is somewhat easily triggered.
Flags: needinfo?(terrence)
Whiteboard: [fuzzblocker]
Assignee | ||
Comment 7•11 years ago
|
||
Oh, Dang! Well, I'll whip up something ugly and windows specific that we can use as an interim solution.
Flags: needinfo?(terrence)
Assignee | ||
Comment 8•11 years ago
|
||
Please check if this fix works. Good find, by the way: it appears to be a pre-existing browser bug in the Win64.
Reporter | ||
Comment 9•11 years ago
|
||
Comment on attachment 711389 [details] [diff] [review] v0 Nope, still crashes. I'll post a stack trace.
Attachment #711389 -
Flags: feedback?(gary) → feedback-
Reporter | ||
Comment 10•11 years ago
|
||
Reporter | ||
Comment 11•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 121848:f3cba77064cd parent: 121843:f27d5d9ebef2 user: Makoto Kato date: Thu Feb 14 15:22:00 2013 +0900 summary: Bug 834645 - move -STACK parameter to config.mk. r=ted Assuming FIXED by bug 834645. Terrence, is this likely?
Flags: needinfo?(terrence)
Assignee | ||
Comment 12•11 years ago
|
||
Yes, that is exactly the right fix: much better than what's attached on this bug.
Flags: needinfo?(terrence)
Reporter | ||
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 13•11 years ago
|
||
Testcase landed via bug 845569.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Reporter | ||
Updated•11 years ago
|
status-firefox22:
--- → fixed
Reporter | ||
Updated•6 years ago
|
Flags: needinfo?(terrence.d.cole)
You need to log in
before you can comment on or make changes to this bug.
Description
•