Closed
Bug 900317
Opened 11 years ago
Closed 11 years ago
ion::IonBuilder::getPropTryConstant masks error in Ion Inline Caches
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: efaust, Assigned: efaust)
Details
Attachments
(1 file)
|
1.15 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
If you comment out the tryConstant optimization through the TryInlineAccess optimization in jsop_getprop(), you will notice that the jit-test parallel/Array-mapPar-nested.js fails because it gets the wrong value from the IC. Marking security as I don't know the full repercussions.
|
Assignee | |
Comment 1•11 years ago
|
||
The problem actually wasn't in the ICs. When we have a clone at a callsite, and replace the input operand with a constant, we neglect to ensure that the operand that was supposed to be used actually has a use at the callsite, and thus doesn't get removed from the resume point, where it will later be observed on an ill-timed bailout. Though reproducing this bug required commenting out some code (we don't replace constants with undefined in the resume point because it makes little sense), it should still be reproducible with a more complicated testcase. I do not believe that there are security implications of this bug.
Assignee: general → efaustbmo
Status: NEW → ASSIGNED
Attachment #785160 -
Flags: review?(bhackett1024)
|
||
Updated•11 years ago
|
Attachment #785160 -
Flags: review?(bhackett1024) → review+
|
|
||
Updated•11 years ago
|
Group: core-security
|
|
Assignee | |
Comment 2•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/25f9ed87069c
|
||
Comment 3•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/25f9ed87069c
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•