Closed Bug 1117851 Opened 9 years ago Closed 9 years ago

nsJSUtils::GetCallingLocation is a memory hazard footgun

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla37

People

(Reporter: bholley, Assigned: bholley)

References

Details

Attachments

(2 files)

Make GetCallingLocation take an nsA{,C}String. v1
8.38 KB, patch
smaug
: review+
Details | Diff | Splinter Review
backout patch
9.05 KB, patch
Details | Diff | Splinter Review 
I noticed this while reviewing bug 1097998. The API returns an unowned char*, which is effectively valid until the next GC, because the guard object goes out of scope when nsJSUtils::GetCallingLocation returns.

I just audited all the callers, and it looks like we're safe for now. But we should fix this before someone screws it up. I'll attach a patch.
Blocks: 1097998
Attachment #8544081 - Flags: review?(bugs) → review+
https://hg.mozilla.org/mozilla-central/rev/9035e4de3c03
Assignee: nobody → bobbyholley
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
Backed out at smaug's request due to bug 1118257.
https://hg.mozilla.org/integration/mozilla-inbound/rev/a3a485cf8fda
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: mozilla37 → ---
....which caused other bustage. Re-landed.
https://hg.mozilla.org/integration/mozilla-inbound/rev/d8541085a5d5

Smaug says he'll prepare a backout patch. Leaving the bug open since that's where it's still going.
https://hg.mozilla.org/mozilla-central/rev/d8541085a5d5
Status: REOPENED → RESOLVED
Closed: 9 years ago9 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla37
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: