Closed Bug 1308193 Opened 8 years ago Closed 8 years ago

IonBuilder::computeHeapType can return stack memory

Categories

(Core :: JavaScript Engine: JIT, defect, P3)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla56
Tracking Flags:
Tracking Status
firefox56 --- fixed

People

(Reporter: gps, Assigned: sstangl)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

0001-Reorganize-code-that-looks-like-it-could-return-a-st.patch
1.42 KB, patch
nbp
: review+
Details | Diff | Splinter Review
According to clang's static analysis, https://hg.mozilla.org/mozilla-central/file/da986c9f1f72/js/src/jit/IonBuilder.cpp#l9741 appears to return stack-allocated memory. nbp says this is a false positive because "basically TypeSet::unionSets allocates a new TemporaryTypeSet, and the guards above the acc are guarding that we enter the loop." Since this is identified as a severe vulnerability by static analysis, it would be great if the code could be rewritten to avoid the false positive.
Flags: needinfo?(nicolas.b.pierron)
Might indeed be good to get this fixed. I think it should be straight forward to fix? Let's do it. Putting this as P2 to get it this or next release.
Priority: -- → P2
Priority: P2 → P3
Browsing through old bugs.
Attachment #8888933 - Flags: review?(nicolas.b.pierron)
Attachment #8888933 - Flags: review?(nicolas.b.pierron) → review+
Flags: needinfo?(nicolas.b.pierron)
Keywords: checkin-needed
Assignee: nobody → sstangl
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/8e1e06adf80f Reorganize code that looks like it could return a stack address. r=nbp
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/8e1e06adf80f
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox56: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla56
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: