mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-10 20:05:49 +00:00
Bug 753283 - Poison VM stack to help fuzzers (r=bhackett)
This commit is contained in:
parent
3d9a22b19f
commit
5c37cfaae2
26
js/src/jit-test/tests/basic/bug753283.js
Normal file
26
js/src/jit-test/tests/basic/bug753283.js
Normal file
@ -0,0 +1,26 @@
|
||||
var summary = '';
|
||||
function printStatus (msg) {
|
||||
var lines = msg.split ("\n");
|
||||
}
|
||||
evaluate("\
|
||||
function f() {\
|
||||
var ss = [\
|
||||
new f(Int8Array, propertyIsEnumerable, '[let (x = 3, y = 4) x].map(0)')\
|
||||
];\
|
||||
}\
|
||||
try {\
|
||||
f();\
|
||||
} catch (e) {}\
|
||||
gczeal(4);\
|
||||
printStatus (summary);\
|
||||
");
|
||||
evaluate("\
|
||||
function g(n, h) {\
|
||||
var a = f;\
|
||||
if (n <= 0) \
|
||||
return f; \
|
||||
var t = g(n - 1, h);\
|
||||
var r = function(x) { };\
|
||||
}\
|
||||
g(80, f);\
|
||||
");
|
@ -672,6 +672,14 @@ ObjectValue(JSObject &obj)
|
||||
return v;
|
||||
}
|
||||
|
||||
static JS_ALWAYS_INLINE Value
|
||||
ObjectValueCrashOnTouch()
|
||||
{
|
||||
Value v;
|
||||
v.setObject(*reinterpret_cast<JSObject *>(0x42));
|
||||
return v;
|
||||
}
|
||||
|
||||
static JS_ALWAYS_INLINE Value
|
||||
MagicValue(JSWhyMagic why)
|
||||
{
|
||||
|
@ -1059,11 +1059,11 @@ js::Interpret(JSContext *cx, StackFrame *entryFrame, InterpMode interpMode)
|
||||
|
||||
# define DO_OP() JS_BEGIN_MACRO \
|
||||
CHECK_PCCOUNT_INTERRUPTS(); \
|
||||
js::gc::MaybeVerifyBarriers(cx); \
|
||||
JS_EXTENSION_(goto *jumpTable[op]); \
|
||||
JS_END_MACRO
|
||||
# define DO_NEXT_OP(n) JS_BEGIN_MACRO \
|
||||
TypeCheckNextBytecode(cx, script, n, regs); \
|
||||
js::gc::MaybeVerifyBarriers(cx); \
|
||||
op = (JSOp) *(regs.pc += (n)); \
|
||||
DO_OP(); \
|
||||
JS_END_MACRO
|
||||
|
@ -1210,6 +1210,10 @@ mjit::Compiler::markUndefinedLocal(uint32_t offset, uint32_t i)
|
||||
Lifetime *lifetime = analysis->liveness(slot).live(offset);
|
||||
if (lifetime)
|
||||
masm.storeValue(UndefinedValue(), local);
|
||||
#ifdef DEBUG
|
||||
else
|
||||
masm.storeValue(ObjectValueCrashOnTouch(), local);
|
||||
#endif
|
||||
}
|
||||
}
|
||||
|
||||
@ -1222,6 +1226,14 @@ mjit::Compiler::markUndefinedLocals()
|
||||
*/
|
||||
for (uint32_t i = 0; i < script->nfixed; i++)
|
||||
markUndefinedLocal(0, i);
|
||||
|
||||
#ifdef DEBUG
|
||||
uint32_t depth = ssa.getFrame(a->inlineIndex).depth;
|
||||
for (uint32_t i = script->nfixed; i < script->nslots; i++) {
|
||||
Address local(JSFrameReg, sizeof(StackFrame) + (depth + i) * sizeof(Value));
|
||||
masm.storeValue(ObjectValueCrashOnTouch(), local);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
||||
CompileStatus
|
||||
|
@ -513,6 +513,7 @@ StackSpace::init()
|
||||
conservativeEnd_ = commitEnd_ = base_ + COMMIT_VALS;
|
||||
trustedEnd_ = base_ + CAPACITY_VALS;
|
||||
defaultEnd_ = trustedEnd_ - BUFFER_VALS;
|
||||
Debug_SetValueRangeToCrashOnTouch(base_, commitEnd_);
|
||||
#elif defined(XP_OS2)
|
||||
if (DosAllocMem(&p, CAPACITY_BYTES, PAG_COMMIT | PAG_READ | PAG_WRITE | OBJ_ANY) &&
|
||||
DosAllocMem(&p, CAPACITY_BYTES, PAG_COMMIT | PAG_READ | PAG_WRITE))
|
||||
@ -520,6 +521,7 @@ StackSpace::init()
|
||||
base_ = reinterpret_cast<Value *>(p);
|
||||
trustedEnd_ = base_ + CAPACITY_VALS;
|
||||
conservativeEnd_ = defaultEnd_ = trustedEnd_ - BUFFER_VALS;
|
||||
Debug_SetValueRangeToCrashOnTouch(base_, trustedEnd_);
|
||||
#else
|
||||
JS_ASSERT(CAPACITY_BYTES % getpagesize() == 0);
|
||||
p = mmap(NULL, CAPACITY_BYTES, PROT_READ | PROT_WRITE, MAP_PRIVATE | MAP_ANONYMOUS, -1, 0);
|
||||
@ -528,6 +530,7 @@ StackSpace::init()
|
||||
base_ = reinterpret_cast<Value *>(p);
|
||||
trustedEnd_ = base_ + CAPACITY_VALS;
|
||||
conservativeEnd_ = defaultEnd_ = trustedEnd_ - BUFFER_VALS;
|
||||
Debug_SetValueRangeToCrashOnTouch(base_, trustedEnd_);
|
||||
#endif
|
||||
assertInvariants();
|
||||
return true;
|
||||
@ -708,6 +711,8 @@ StackSpace::ensureSpaceSlow(JSContext *cx, MaybeReportError report, Value *from,
|
||||
return false;
|
||||
}
|
||||
|
||||
Debug_SetValueRangeToCrashOnTouch(commitEnd_, newCommit);
|
||||
|
||||
commitEnd_ = newCommit;
|
||||
conservativeEnd_ = Min(commitEnd_, defaultEnd_);
|
||||
assertInvariants();
|
||||
@ -886,9 +891,13 @@ ContextStack::popInvokeArgs(const InvokeArgsGuard &iag)
|
||||
JS_ASSERT(onTop());
|
||||
JS_ASSERT(space().firstUnused() == seg_->calls().end());
|
||||
|
||||
Value *oldend = seg_->end();
|
||||
|
||||
seg_->popCall();
|
||||
if (iag.pushedSeg_)
|
||||
popSegment();
|
||||
|
||||
Debug_SetValueRangeToCrashOnTouch(space().firstUnused(), oldend);
|
||||
}
|
||||
|
||||
bool
|
||||
@ -997,10 +1006,14 @@ ContextStack::popFrame(const FrameGuard &fg)
|
||||
JS_ASSERT(space().firstUnused() == fg.regs_.sp);
|
||||
JS_ASSERT(&fg.regs_ == &seg_->regs());
|
||||
|
||||
Value *oldend = seg_->end();
|
||||
|
||||
seg_->popRegs(fg.prevRegs_);
|
||||
if (fg.pushedSeg_)
|
||||
popSegment();
|
||||
|
||||
Debug_SetValueRangeToCrashOnTouch(space().firstUnused(), oldend);
|
||||
|
||||
/*
|
||||
* NB: this code can call out and observe the stack (e.g., through GC), so
|
||||
* it should only be called from a consistent stack state.
|
||||
|
Loading…
Reference in New Issue
Block a user