Disallow ctypes from converting ArrayBuffer pointers to C pointers

RESOLVED FIXED in mozilla37

Status

()

Core
JavaScript Engine
RESOLVED FIXED
3 years ago
a year ago

People

(Reporter: sfink, Assigned: jonco)

Tracking

unspecified
mozilla37
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

3 years ago
Except for arguments, which are probably ok. Or rather, no worse than other things that retrieve unstable C pointers. Arguments are needed for IO.File to read/write array buffers and typed arrays.

Split off from bug 1061288, which isn't really done until this is fixed.
(Reporter)

Updated

3 years ago
Blocks: 1061288
Depends on: 1075438, 1077354
(Assignee)

Comment 1

3 years ago
So I've come to this bug after seeing crashes with compacting GC where ctypes::ConvertToJS() accesses a CData pointer that points to relocated memory.

After doing some digging it seems that OS.File.write|writeAtomic and AbstractFile.readTo|write convert typed arrays to C pointers, in the first case passing the pointer to a worker thread.

I think I need to talk to you about how to address this.
Yes, I know how to get rid of this, but the first step kills AdBlock Plus, so we need to wait until the next release of ABP (November 11th) before landing it.
(Reporter)

Comment 3

3 years ago
Created attachment 8516155 [details] [diff] [review]
Restrict array buffer -> pointer conversions to argument passing
(Reporter)

Updated

3 years ago
Assignee: nobody → sphink
Status: NEW → ASSIGNED
(Reporter)

Comment 4

3 years ago
Created attachment 8516171 [details] [diff] [review]
Avoid converting array buffers to pointers in OS.File
Attachment #8516171 - Attachment description: Avoid converting array buffers to pointers in IO.File → Avoid converting array buffers to pointers in OS.File
(Assignee)

Updated

3 years ago
Blocks: 650161
(Assignee)

Comment 5

3 years ago
Created attachment 8545313 [details] [diff] [review]
bug1080262-ctypes

Disallow ctypes from converting array buffers and typed arrays to pointers, except when passed as arguments.
Assignee: sphink → jcoppeard
Attachment #8516155 - Attachment is obsolete: true
Attachment #8516171 - Attachment is obsolete: true
Attachment #8545313 - Flags: review?(sphink)
(Reporter)

Updated

3 years ago
Attachment #8545313 - Flags: review?(sphink) → review+
(Assignee)

Comment 6

3 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/266d204f97bf
https://hg.mozilla.org/mozilla-central/rev/266d204f97bf
Status: ASSIGNED → RESOLVED
Last Resolved: 3 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37

Updated

3 years ago
Blocks: 1120837
You need to log in before you can comment on or make changes to this bug.