Closed Bug 1855796 Opened 1 year ago Closed 1 year ago

nsTArray::RemoveElementAtUnsafe() should have checks in debug builds

Categories

(Core :: XPCOM, defect)

Product:
Core
Component:
XPCOM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
120 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- unaffected
firefox118 --- wontfix
firefox119 --- wontfix
firefox120 --- fixed

People

(Reporter: mccr8, Assigned: mccr8)

References

(Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1855796 - Add a debug check to nsTArray::RemoveElementAtUnsafe().
48 bytes, text/x-phabricator-request
Details | Review

Bug 1848714 changed nsTArray::RemoveElementAtUnsafe() from a private method to a public method, for use in places where we can be confident by inspection that the bounds check is redundant, and that profiling has indicated are performance sensitive.

However, this method lacks assertions, so not only are we not doing bounds checks in release builds, we are also not doing bounds checks in debug builds. This means that we can only be sure of catching buffer overflows in ASan builds, which is not great.

Maybe this can be done by turning RemoveElementAtUnsafe() back into a private method with a name like RemoveElementAtImpl(), and adding a new RemoveElementAtUnsafe() that is a wrapper around that with the appropriate assertions. Ideally this would share checking code with RemoveElement().

Set release status flags based on info from the regressing bug 1848714

:smaug, since you are the author of the regressor, bug 1848714, could you take a look? Also, could you set the severity field?

For more information, please visit BugBot documentation.

status-firefox-esr115: --- → unaffected
Flags: needinfo?(smaug)

Oops, I thought I set it to "task" as this isn't exactly a user-facing defect.

Type: task → defect

I'll look at this I guess.

Assignee: nobody → continuation
Flags: needinfo?(smaug)

Oh right, it doesn't like regressions that are tasks.

Severity: -- → S4
Type: task → defect

It turns out that there are no external callers of RemoveElementsAtUnsafe(), so the simplest fix is to make it private again and just add a debug bounds check to RemoveElementAtUnsafe().

Summary: nsTArray::RemoveElementsAtUnsafe() should have checks in debug builds → nsTArray::RemoveElementAtUnsafe() should have checks in debug builds

Also make RemoveElementsAtUnsafe() private again because there are no
external callers. If any external callers are added, then we probably
want them to be made to a different version that does checks in
debug builds.

Pushed by amccreight@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/3a59a4fb2231 Add a debug check to nsTArray::RemoveElementAtUnsafe(). r=emilio

https://hg.mozilla.org/mozilla-central/rev/3a59a4fb2231

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox120: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 120 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: