Closed
Bug 826435
Opened 12 years ago
Closed 12 years ago
GC: Don't let poisoned pointers flow through HashTable
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: terrence, Assigned: terrence)
References
Details
Attachments
(1 file)
|
(deleted),
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
The basic assumption of poisoning is that any future use of the poisoned value will lead to an immediate crash when we dereference an invalid pointer. Unfortunately, insertion or removal of a pointer into a HashTable is one place where that is not true. Thankfully, PointerHasher gives us a location that we can intercept.
|
Assignee | |
Comment 1•12 years ago
|
||
We still hit an error in testObjectEmulatingUndefined_equal with this, but it fails with a non-NULL assertion instead of total insanity. This may also introduce some new jit-test failures: the first one I checked was not from this so I thought I would work through those separately.
Attachment #697643 -
Flags: review?(sphink)
|
||
Updated•12 years ago
|
Attachment #697643 -
Flags: review?(sphink) → review+
|
|
Assignee | |
Comment 2•12 years ago
|
||
Green try run at:
https://tbpl.mozilla.org/?tree=Try&rev=10884c1544c4
Pushed at:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aad582ab4aee
|
||
Comment 3•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in
before you can comment on or make changes to this bug.
Description
•