Closed
Bug 1123002
Opened 11 years ago
Closed 11 years ago
Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)
Details
Attachments
(1 file)
|
1.29 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
This variable is only used for pointer comparison in order to compute
a cache match. This patch converts the type of the variable to void*
so that it can still be used for the pointer comparison, but not for
any other purpose, including dereferencing, since the pointer may
potentially be dangling if the string buffer dies.
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → ehsan
|
|
Assignee | |
Comment 1•11 years ago
|
||
This variable is only used for pointer comparison in order to compute
a cache match. This patch converts the type of the variable to void*
so that it can still be used for the pointer comparison, but not for
any other purpose, including dereferencing, since the pointer may
potentially be dangling if the string buffer dies.
|
|
Assignee | |
Updated•11 years ago
|
Attachment #8550944 -
Flags: review?(bobbyholley)
|
||
Comment 2•11 years ago
|
||
Comment on attachment 8550944 [details] [diff] [review]
Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
Review of attachment 8550944 [details] [diff] [review]:
-----------------------------------------------------------------
Hm, this is Andrew's code. I'm confused though - if this pointer can dangle, what's to stop us from getting false cache hits with another string allocated in the same region of memory?
Attachment #8550944 -
Flags: review?(bobbyholley) → review?(continuation)
|
|
Assignee | |
Comment 3•11 years ago
|
||
I expect nothing!
|
||
Comment 4•11 years ago
|
||
mString owns mBuffer. mString is a JS thing, so it can only die during GC. We clear mString and mBuffer during GC. So, yes, if the pointer is dangling we're probably in trouble anyways.
|
|
||
Comment 5•11 years ago
|
||
Comment on attachment 8550944 [details] [diff] [review]
Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
Review of attachment 8550944 [details] [diff] [review]:
-----------------------------------------------------------------
I guess this is okay to appease the analysis, but we're going to be in trouble in other ways if this is ever a dangling pointer. ;)
Attachment #8550944 -
Flags: review?(continuation) → review+
|
|
||
Updated•11 years ago
|
Summary: Convert XPCStringConvert::ZoneStringCache::mBuffer to void*; r=bholley → Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
|
|
||
Comment 6•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4)
> mString owns mBuffer. mString is a JS thing, so it can only die during GC.
> We clear mString and mBuffer during GC. So, yes, if the pointer is dangling
> we're probably in trouble anyways.
Can this be added as a comment in the patch Ehsan?
Flags: needinfo?(ehsan)
|
|
Assignee | |
Comment 7•11 years ago
|
||
(In reply to Bobby Holley (Busy with media, don't ask for DOM/JS/XPConnect things) from comment #6)
> (In reply to Andrew McCreight [:mccr8] from comment #4)
> > mString owns mBuffer. mString is a JS thing, so it can only die during GC.
> > We clear mString and mBuffer during GC. So, yes, if the pointer is dangling
> > we're probably in trouble anyways.
>
> Can this be added as a comment in the patch Ehsan?
Of course!
Flags: needinfo?(ehsan)
|
||
Comment 8•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in
before you can comment on or make changes to this bug.
Description
•