Closed
Bug 1123002
Opened 9 years ago
Closed 9 years ago
Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla38
People
(Reporter: ehsan.akhgari, Assigned: ehsan.akhgari)
Details
Attachments
(1 file)
|
1.29 KB,
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
This variable is only used for pointer comparison in order to compute a cache match. This patch converts the type of the variable to void* so that it can still be used for the pointer comparison, but not for any other purpose, including dereferencing, since the pointer may potentially be dangling if the string buffer dies.
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → ehsan
|
|
Assignee | |
Comment 1•9 years ago
|
||
This variable is only used for pointer comparison in order to compute a cache match. This patch converts the type of the variable to void* so that it can still be used for the pointer comparison, but not for any other purpose, including dereferencing, since the pointer may potentially be dangling if the string buffer dies.
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8550944 -
Flags: review?(bobbyholley)
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8550944 [details] [diff] [review] Convert XPCStringConvert::ZoneStringCache::mBuffer to void* Review of attachment 8550944 [details] [diff] [review]: ----------------------------------------------------------------- Hm, this is Andrew's code. I'm confused though - if this pointer can dangle, what's to stop us from getting false cache hits with another string allocated in the same region of memory?
Attachment #8550944 -
Flags: review?(bobbyholley) → review?(continuation)
|
|
Assignee | |
Comment 3•9 years ago
|
||
I expect nothing!
|
||
Comment 4•9 years ago
|
||
mString owns mBuffer. mString is a JS thing, so it can only die during GC. We clear mString and mBuffer during GC. So, yes, if the pointer is dangling we're probably in trouble anyways.
|
|
||
Comment 5•9 years ago
|
||
Comment on attachment 8550944 [details] [diff] [review] Convert XPCStringConvert::ZoneStringCache::mBuffer to void* Review of attachment 8550944 [details] [diff] [review]: ----------------------------------------------------------------- I guess this is okay to appease the analysis, but we're going to be in trouble in other ways if this is ever a dangling pointer. ;)
Attachment #8550944 -
Flags: review?(continuation) → review+
|
|
||
Updated•9 years ago
|
Summary: Convert XPCStringConvert::ZoneStringCache::mBuffer to void*; r=bholley → Convert XPCStringConvert::ZoneStringCache::mBuffer to void*
|
|
||
Comment 6•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4) > mString owns mBuffer. mString is a JS thing, so it can only die during GC. > We clear mString and mBuffer during GC. So, yes, if the pointer is dangling > we're probably in trouble anyways. Can this be added as a comment in the patch Ehsan?
Flags: needinfo?(ehsan)
|
|
Assignee | |
Comment 7•9 years ago
|
||
(In reply to Bobby Holley (Busy with media, don't ask for DOM/JS/XPConnect things) from comment #6) > (In reply to Andrew McCreight [:mccr8] from comment #4) > > mString owns mBuffer. mString is a JS thing, so it can only die during GC. > > We clear mString and mBuffer during GC. So, yes, if the pointer is dangling > > we're probably in trouble anyways. > > Can this be added as a comment in the patch Ehsan? Of course!
Flags: needinfo?(ehsan)
|
||
Comment 8•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d8c0fee0015a
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
You need to log in
before you can comment on or make changes to this bug.
Description
•