Closed Bug 1080262 Opened 6 years ago Closed 6 years ago
Disallow ctypes from converting Array
Buffer pointers to C pointers
Except for arguments, which are probably ok. Or rather, no worse than other things that retrieve unstable C pointers. Arguments are needed for IO.File to read/write array buffers and typed arrays. Split off from bug 1061288, which isn't really done until this is fixed.
So I've come to this bug after seeing crashes with compacting GC where ctypes::ConvertToJS() accesses a CData pointer that points to relocated memory. After doing some digging it seems that OS.File.write|writeAtomic and AbstractFile.readTo|write convert typed arrays to C pointers, in the first case passing the pointer to a worker thread. I think I need to talk to you about how to address this.
Yes, I know how to get rid of this, but the first step kills AdBlock Plus, so we need to wait until the next release of ABP (November 11th) before landing it.
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Attachment #8516171 - Attachment description: Avoid converting array buffers to pointers in IO.File → Avoid converting array buffers to pointers in OS.File
Disallow ctypes from converting array buffers and typed arrays to pointers, except when passed as arguments.
Attachment #8545313 - Flags: review?(sphink) → review+
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.