Closed
Bug 1489979
Opened 6 years ago
Closed 6 years ago
IsDependentOn relies on Undefined Behavior
Categories
(Core :: XPCOM, enhancement)
Core
XPCOM
Tracking
()
RESOLVED
FIXED
mozilla64
| Tracking | Status | |
|---|---|---|
| firefox64 | --- | fixed |
People
(Reporter: hsivonen, Assigned: hsivonen)
Details
Attachments
(1 file, 1 obsolete file)
https://searchfox.org/mozilla-central/source/xpcom/string/nsTStringRepr.h#295 says: // Returns true if this string overlaps with the given string fragment. bool IsDependentOn(const char_type* aStart, const char_type* aEnd) const { // If it _isn't_ the case that one fragment starts after the other ends, // or ends before the other starts, then, they conflict: // // !(f2.begin >= f1.aEnd || f2.aEnd <= f1.begin) // // Simplified, that gives us: return (aStart < (mData + mLength) && aEnd > mData); } This is UB if the arguments come from a different allocation than mData. I'm not aware of any practical problem right now, but as we use LTO more, which gives the optimizer more visibility into the code, it's a bit worriesome that in principle, the above asserts to the compiler that aStart and mData come from the same allocation, which in principle could be used to transform some other code. We should use std::less and std::greater instead of < and > to avoid UB here, just in case.
|
Assignee | |
Updated•6 years ago
|
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 1•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=3e3e0aa75658fcdf9d1dcd54a7cd046dba14a1b3
|
|
Assignee | |
Comment 2•6 years ago
|
||
MozReview-Commit-ID: EHEIFvmFOLc
|
|
Assignee | |
Comment 3•6 years ago
|
||
Huh. The patch breaks all opt builds, so it seems to have the opposite effect of what it's supposed to have.
|
|
Assignee | |
Comment 4•6 years ago
|
||
With implemenation-defined behavior instead of Undefined Behavior: https://treeherder.mozilla.org/#/jobs?repo=try&revision=a008bee3a31241165387ba217d13a8264392a29d (This might be placebo at present given bugs shown in appendices A and B of https://www.cs.utah.edu/~regehr/oopsla18.pdf .)
|
|
Assignee | |
Comment 5•6 years ago
|
||
(In reply to Henri Sivonen (:hsivonen) from comment #4) > With implemenation-defined behavior instead of Undefined Behavior: > https://treeherder.mozilla.org/#/ > jobs?repo=try&revision=a008bee3a31241165387ba217d13a8264392a29d > > (This might be placebo at present given bugs shown in appendices A and B of > https://www.cs.utah.edu/~regehr/oopsla18.pdf .) And that patch is very red and orange on treeherder. Now I'm confused.
|
||
Updated•6 years ago
|
Attachment #9008013 -
Attachment is obsolete: true
|
|
Assignee | |
Updated•6 years ago
|
Assignee: hsivonen → nobody
Status: ASSIGNED → NEW
|
|
Assignee | |
Comment 6•6 years ago
|
||
The source of my confusion was bug 1487341, which, it turns out, fails in opt builds.
Assignee: nobody → hsivonen
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 7•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=0cfbe46e8411141c90ba7bd58d41d5a719d6586b
|
|
Assignee | |
Comment 8•6 years ago
|
||
MozReview-Commit-ID: C6ehO1TG5YO
|
|
Assignee | |
Comment 9•6 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=e610de9c8d216e5a615cb16b014ed8d510fe9e60
|
||
Comment 10•6 years ago
|
||
Comment on attachment 9009596 [details] Bug 1489979 - Avoid UB in IsDependentOn(). Nathan Froyd [:froydnj] has approved the revision.
Attachment #9009596 -
Flags: review+
|
||
Comment 11•6 years ago
|
||
Pushed by hsivonen@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/380cac58bbc5 Avoid UB in IsDependentOn(). r=froydnj
|
||
Comment 12•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/380cac58bbc5
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox64:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla64
|
||
Updated•3 years ago
|
Component: String → XPCOM
You need to log in
before you can comment on or make changes to this bug.
Description
•