Closed Bug 1535530 Opened 6 years ago Closed 5 years ago

It's still possible to fool the MOZ_CAN_RUN_SCRIPT analysis to accept non-stack RefPtrs

Categories

(Developer Infrastructure :: Source Code Analysis, defect, P3)

defect

Tracking

(firefox75 fixed)

RESOLVED FIXED
mozilla75
Tracking Status
firefox75 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

(Blocks 2 open bugs)

Details

Attachments

(1 file)

Consider code that looks like this:

  for (RefPtr<Foo>& cur : mSomeArray) {
    cur->DoStuff();
  }

This compiles if DoStuff is MOZ_CAN_RUN_SCRIPT. But it should not. Even though "cur" does have stack lifetime, the actual object involved does not!

What we're enforcing right now is that we have a declRefExpr, that the corresponding varDecl hasAutomaticStorageDuration(), and that the declRefExpr hasType(isSmartPtrToRefCounted()).

I don't know whether it's hasType() that is stripping off the reference bit or isSmartPtrToRefCounted() or something else, but the net result is that our test passes. A regression test for TestCanRunScript.cpp for when we fix this:

struct DisallowMemberArgsViaReferenceAlias {
  RefPtr<RefCountedBase> mRefCounted;
  MOZ_CAN_RUN_SCRIPT void foo() {
    RefPtr<RefCountedBase>& bogus = mRefCounted;
    bogus->method_test(); // expected-error {{arguments must all be strong refs or parent parameters when calling a function marked as MOZ_CAN_RUN_SCRIPT (including the implicit object argument)}}
  }
  MOZ_CAN_RUN_SCRIPT void bar() {
    RefPtr<RefCountedBase>& bogus = mRefCounted;
    test2(bogus);
  }
};

The priority flag is not set for this bug.
:sylvestre, could you have a look please?

Flags: needinfo?(sledru)
Flags: needinfo?(sledru)
Priority: -- → P3

With the increased usage of MOZ_CAN_RUN_SCRIPT (https://searchfox.org/mozilla-central/search?q=MOZ_CAN_RUN_SCRIPT&case=true&regexp=true&path=), it's perhaps worth to reconsider the priority of this issue.

Funny how revisiting things after a bit makes them more obvious.... Or maybe I refactored this enough since filing that it's clear what to do. Anyway, fix coming up.

Assignee: nobody → bzbarsky
Blocks: 1620312

The key here is to test the type of the variable declaration for being a
smartptr type, instead of testing the type of the variable use.

Thanks for the fix.

Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/afbf73fb4073
Fix can-run-script analysis to not mishandle on-stack refs to RefPtrs. r=andi,masayuki
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Product: Firefox Build System → Developer Infrastructure
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: