Closed
Bug 1746699
Opened 2 years ago
Closed 2 years ago
Reduce UB when allocating GC things
Categories
(Core :: JavaScript Engine, task, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
106 Branch
| Tracking | Status | |
|---|---|---|
| firefox106 | --- | fixed |
People
(Reporter: sfink, Assigned: sfink)
References
(Blocks 1 open bug)
Details
Attachments
(3 files)
Bug 1739321 is no longer a good home for this work.
This is about how we allocate memory from the GC heap, then cast it to the right type, and never actually construct any C++ types in that memory.
|
Assignee | |
Comment 1•2 years ago
|
||
|
||
Updated•2 years ago
|
Assignee: nobody → sphink
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
|
Assignee | |
Comment 3•2 years ago
|
||
|
|
||
Updated•2 years ago
|
Attachment #9256000 -
Attachment description: Bug 1746699 - Change all callers of js::Allocate<T>() to properly use placement new → Bug 1746699 - Change all callers of js::Allocate<T>() to properly use placement new instead of casting
|
||
Updated•2 years ago
|
Severity: -- → S3
Priority: -- → P1
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/ac7a2cfb2cd0 Avoid UB when allocating JSStrings and BigInts r=tcampbell https://hg.mozilla.org/integration/autoland/rev/02a4670a672b Avoid pointing to untyped memory with TenuredChunk* pointers (reduces UB) r=tcampbell https://hg.mozilla.org/integration/autoland/rev/a423d31d54d9 Change all callers of js::Allocate<T>() to properly use placement new instead of casting r=tcampbell
|
||
Comment 5•2 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/ac7a2cfb2cd0
https://hg.mozilla.org/mozilla-central/rev/02a4670a672b
https://hg.mozilla.org/mozilla-central/rev/a423d31d54d9
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox106:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 106 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•