Closed
Bug 1123002
Opened 9 years ago
Closed 9 years ago
Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)
Details
Attachments
(1 file)
1.29 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
This variable is only used for pointer comparison in order to compute a cache match. This patch converts the type of the variable to void* so that it can still be used for the pointer comparison, but not for any other purpose, including dereferencing, since the pointer may potentially be dangling if the string buffer dies.
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → ehsan
Assignee | ||
Comment 1•9 years ago
|
||
This variable is only used for pointer comparison in order to compute a cache match. This patch converts the type of the variable to void* so that it can still be used for the pointer comparison, but not for any other purpose, including dereferencing, since the pointer may potentially be dangling if the string buffer dies.
Assignee | ||
Updated•9 years ago
|
Attachment #8550944 -
Flags: review?(bobbyholley)
Comment 2•9 years ago
|
||
Comment on attachment 8550944 [details] [diff] [review] Convert XPCStringConvert::ZoneStringCache::mBuffer to void* Review of attachment 8550944 [details] [diff] [review]: ----------------------------------------------------------------- Hm, this is Andrew's code. I'm confused though - if this pointer can dangle, what's to stop us from getting false cache hits with another string allocated in the same region of memory?
Attachment #8550944 -
Flags: review?(bobbyholley) → review?(continuation)
Assignee | ||
Comment 3•9 years ago
|
||
I expect nothing!
Comment 4•9 years ago
|
||
mString owns mBuffer. mString is a JS thing, so it can only die during GC. We clear mString and mBuffer during GC. So, yes, if the pointer is dangling we're probably in trouble anyways.
Comment 5•9 years ago
|
||
Comment on attachment 8550944 [details] [diff] [review] Convert XPCStringConvert::ZoneStringCache::mBuffer to void* Review of attachment 8550944 [details] [diff] [review]: ----------------------------------------------------------------- I guess this is okay to appease the analysis, but we're going to be in trouble in other ways if this is ever a dangling pointer. ;)
Attachment #8550944 -
Flags: review?(continuation) → review+
Updated•9 years ago
|
Summary: Convert XPCStringConvert::ZoneStringCache::mBuffer to void*; r=bholley → Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
Comment 6•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4) > mString owns mBuffer. mString is a JS thing, so it can only die during GC. > We clear mString and mBuffer during GC. So, yes, if the pointer is dangling > we're probably in trouble anyways. Can this be added as a comment in the patch Ehsan?
Flags: needinfo?(ehsan)
Assignee | ||
Comment 7•9 years ago
|
||
(In reply to Bobby Holley (Busy with media, don't ask for DOM/JS/XPConnect things) from comment #6) > (In reply to Andrew McCreight [:mccr8] from comment #4) > > mString owns mBuffer. mString is a JS thing, so it can only die during GC. > > We clear mString and mBuffer during GC. So, yes, if the pointer is dangling > > we're probably in trouble anyways. > > Can this be added as a comment in the patch Ehsan? Of course!
Flags: needinfo?(ehsan)
Comment 8•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d8c0fee0015a
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in
before you can comment on or make changes to this bug.
Description
•