Closed
Bug 1782865
Opened 2 years ago
Closed 2 years ago
v8::internal::Isolate::trace is not called
Categories
(Core :: JavaScript Engine, task)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
105 Branch
Tracking | Status | |
---|---|---|
firefox105 | --- | fixed |
People
(Reporter: arai, Assigned: arai)
Details
Attachments
(1 file)
v8::internal::Isolate
has trace
method and it traces values in handleArena_
,
but apparently trace
is not called anywhere.
class Isolate {
...
void trace(JSTracer* trc);
void Isolate::trace(JSTracer* trc) {
js::gc::AssertRootMarkingPhase(trc);
for (auto iter = handleArena_.Iter(); !iter.Done(); iter.Next()) {
auto& elem = iter.Get();
JS::GCPolicy<JS::Value>::trace(trc, &elem, "Isolate handle arena");
}
}
I assume it's supposed to be called in JSContext::trace
, after it gets stored into JSContext::isolate
field,
but so far I cannot find any case that handleArena_
becomes non-empty at the point of GC/tracing.
so this method might be just unnecessary, but marking as security-sensitive just in case.
Assignee | ||
Comment 1•2 years ago
|
||
Updated•2 years ago
|
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Updated•2 years ago
|
Group: core-security → javascript-core-security
Assignee | ||
Comment 2•2 years ago
|
||
Setting as sec-low, given currently there's no possible path that can hit the issue,
and the trace
method is no-op.
This patch will prevent issue in possible future change that triggers GC inside regexp.
Keywords: sec-low
Comment 3•2 years ago
|
||
No need to hide this if it is just future proofing. Thanks for fixing this.
Group: javascript-core-security
Keywords: sec-low
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/bc79ff73f324 Trace irregexp Isolate. r=iain
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox105:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 105 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•