Closed Bug 902978 Opened 11 years ago Closed 11 years ago

[Security Review][Fuzzing] Ion-compile try-catch

Categories

(mozilla.org :: Security Assurance: Review Request, task)

Product:
mozilla.org
Component:
Security Assurance: Review Request
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jandem, Assigned: decoder)

References

Details

(Whiteboard: [Fx]) 

Bug 866888 added Ion-compilation of try-catch. The patch is on inbound now (revision 383ccc9eb488) but it's disabled by default. To enable it, you have to pass 

    --ion-compile-try-catch

to the shell. Can I please get some fuzzing with this shell flag before I turn it on by default?
Flags: needinfo?(gary)
Flags: needinfo?(choller)
How the hell did this even pass our regression tests?

$ debug64/js --ion-compile-try-catch --ion-eager -e 'try {} catch(e) {}'
Assertion failure: script()->analysis()->hasTryFinally(), at js/src/ion/IonBuilder.cpp:3232
Segmentation fault


I got more failures too.
Flags: needinfo?(choller)
(In reply to Christian Holler (:decoder) from comment #1)
>
> I got more failures too.

Cannot process the other failures because they all get reduced to this one (it's too simple).
Flags: needinfo?(jdemooij)
(In reply to Christian Holler (:decoder) from comment #1)
> How the hell did this even pass our regression tests?

I'm really sorry. I made some last-minute changes to address review comments and forgot to run tests with --ion-compile-try-catch.. Pushed a fix for that:

https://hg.mozilla.org/integration/mozilla-inbound/rev/73912c9ba403
Flags: needinfo?(jdemooij)
I also did a Linux Try run with Ion try-catch compilation enabled in the browser and shell, looks green so far:

https://tbpl.mozilla.org/?tree=Try&rev=f23da4d71b30
Fix is on m-c now :)
Flags: needinfo?(choller)
The following tests crashes with --ion-eager --ion-compile-try-catch:

function x() {
  try {
    do {
      var { q , gen } = t;   
    } while(false);
  } catch (e) {}
} x();

====

o = undefined;
for(;;) {
  try {
    throw 1;
  } catch(e){
    break;
  }
}
for (var i in o) {}

====

The following test only crashes an optimized build for me (--disable-debug --enable-optimize):

var o = {
  valueOf: function() {}
};
function test(t) {
    try {
        for (x[t++] in o) {}
    } catch (err) {}
}
test(Infinity);
Flags: needinfo?(choller)
Depends on: 904079
Depends on: 904133
I have a patch that tests this but will wait for decoder's bugs above to be fixed first before adding to the harness.
Flags: needinfo?(gary)
Assignee: nobody → choller
Two more tests:


function Integer(value) {
  try {
    x();
  } catch ( e ) {  }
}
new Integer( NaN );
new Integer( 0 );


====

do {
  try{
    throw "ex1";
  }  catch(i) {
    break;
  }
} while(testProperty<2);
gczeal(6);
do {} while(0);



Could be that these are fixed already, but better test twice than missing a bug :)
Yup, the first one is bug 904133, the second one is the same as the second testcase in comment 6. Both should be fixed in a few days.

(In reply to Christian Holler (:decoder) from comment #8)
> Could be that these are fixed already, but better test twice than missing a
> bug :)

Definitely :)
This configuration/flag is now being tested continuously on fuzzer-linux7.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.