Closed Bug 1117851 Opened 5 years ago Closed 5 years ago

nsJSUtils::GetCallingLocation is a memory hazard footgun

Categories

(Core :: JavaScript Engine, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla37

People

(Reporter: bholley, Assigned: bholley)

References

Details

Attachments

(2 files)

I noticed this while reviewing bug 1097998. The API returns an unowned char*, which is effectively valid until the next GC, because the guard object goes out of scope when nsJSUtils::GetCallingLocation returns.

I just audited all the callers, and it looks like we're safe for now. But we should fix this before someone screws it up. I'll attach a patch.
Blocks: 1097998
Attachment #8544081 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/9035e4de3c03
Assignee: nobody → bobbyholley
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Backed out at smaug's request due to bug 1118257.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a3a485cf8fda
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla37 → ---
....which caused other bustage. Re-landed.
https://hg.mozilla.org/integration/mozilla-inbound/rev/d8541085a5d5

Smaug says he'll prepare a backout patch. Leaving the bug open since that's where it's still going.
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/d8541085a5d5
Status: REOPENED → RESOLVED
Closed: 5 years ago5 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.