Closed Bug 1682584 Opened 3 years ago Closed 3 years ago

Assert pointer is aligned to Value size in Poison functions

Categories

(Core :: JavaScript Engine, enhancement, P5)

Product:
Core
Component:
JavaScript Engine
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
86 Branch
Tracking Flags:
Tracking Status
firefox86 --- fixed

People

(Reporter: arai, Assigned: arai)

Details

Attachments

(1 file)

Bug 1682584 - Assert pointer is aliged to JS::Value size in Poison functions on 64-bit arch. r?jonco!
47 bytes, text/x-phabricator-request
Details | Review

bug 1677224 comment #7 failure is caused by passing non-Value-size-aligned pointer to AlwaysPoison.
the function signature or comment doesn't imply the pointer should be Value-size-aligned,
but the underlying impl casts the pointer to JS::Value*.

It should have debug assert about the alignment

if we pass not-Value-size-aligned pointer to Poison function, it results in Segmentation Fault in PodSet.

Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/1e7cd648ecd5
Assert pointer is aliged to JS::Value size in Poison functions. r=jonco

looks like the assumption here holds only on 64-bit arch.
on 32-bit arch, minimum requirement for the pointers passed to Poison are 4-bytes-aligned (=pointer-size), and that doesn't match alignas(8) for JS::Value.
I wonder if reinterpret_cast<JS::Value*> is valid here.

also, if the pointer doesn't align with 8 bytes, filling the memory block with poisoned object from the beginning doesn't contribute to safe crash,
given that value tag isn't in correct position when reading the block as Value.

maybe we should treat leading non-Value-size-aligned block separately on 32-bit arch?

Attachment #9193522 - Attachment description: Bug 1682584 - Assert pointer is aliged to JS::Value size in Poison functions. r?jonco! → Bug 1682584 - Assert pointer is aliged to JS::Value size in Poison functions on 64-bit arch. r?jonco!
Flags: needinfo?(arai.unmht)
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/a092c8578144
Assert pointer is aliged to JS::Value size in Poison functions on 64-bit arch. r=jonco

https://hg.mozilla.org/mozilla-central/rev/a092c8578144

Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox86: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: