Closed Bug 1080262 Opened 5 years ago Closed 5 years ago

Disallow ctypes from converting ArrayBuffer pointers to C pointers

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla37

People

(Reporter: sfink, Assigned: jonco)

References

Details

Attachments

(1 file, 2 obsolete files)

Except for arguments, which are probably ok. Or rather, no worse than other things that retrieve unstable C pointers. Arguments are needed for IO.File to read/write array buffers and typed arrays.

Split off from bug 1061288, which isn't really done until this is fixed.
Blocks: 1061288
Depends on: 1075438, 1077354
So I've come to this bug after seeing crashes with compacting GC where ctypes::ConvertToJS() accesses a CData pointer that points to relocated memory.

After doing some digging it seems that OS.File.write|writeAtomic and AbstractFile.readTo|write convert typed arrays to C pointers, in the first case passing the pointer to a worker thread.

I think I need to talk to you about how to address this.
Yes, I know how to get rid of this, but the first step kills AdBlock Plus, so we need to wait until the next release of ABP (November 11th) before landing it.
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Attachment #8516171 - Attachment description: Avoid converting array buffers to pointers in IO.File → Avoid converting array buffers to pointers in OS.File
Blocks: 650161
Disallow ctypes from converting array buffers and typed arrays to pointers, except when passed as arguments.
Assignee: sphink → jcoppeard
Attachment #8516155 - Attachment is obsolete: true
Attachment #8516171 - Attachment is obsolete: true
Attachment #8545313 - Flags: review?(sphink)
Attachment #8545313 - Flags: review?(sphink) → review+
https://hg.mozilla.org/mozilla-central/rev/266d204f97bf
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Blocks: 1120837
You need to log in before you can comment on or make changes to this bug.