nsTArray::RemoveElementAtUnsafe() should have checks in debug builds
Categories
(Core :: XPCOM, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox118 | --- | wontfix |
firefox119 | --- | wontfix |
firefox120 | --- | fixed |
People
(Reporter: mccr8, Assigned: mccr8)
References
(Regression)
Details
(Keywords: regression)
Attachments
(1 file)
Bug 1848714 changed nsTArray::RemoveElementAtUnsafe() from a private method to a public method, for use in places where we can be confident by inspection that the bounds check is redundant, and that profiling has indicated are performance sensitive.
However, this method lacks assertions, so not only are we not doing bounds checks in release builds, we are also not doing bounds checks in debug builds. This means that we can only be sure of catching buffer overflows in ASan builds, which is not great.
Maybe this can be done by turning RemoveElementAtUnsafe() back into a private method with a name like RemoveElementAtImpl(), and adding a new RemoveElementAtUnsafe() that is a wrapper around that with the appropriate assertions. Ideally this would share checking code with RemoveElement().
Assignee | ||
Updated•1 year ago
|
Comment 1•1 year ago
|
||
Set release status flags based on info from the regressing bug 1848714
:smaug, since you are the author of the regressor, bug 1848714, could you take a look? Also, could you set the severity field?
For more information, please visit BugBot documentation.
Assignee | ||
Comment 2•1 year ago
|
||
Oops, I thought I set it to "task" as this isn't exactly a user-facing defect.
Assignee | ||
Comment 3•1 year ago
|
||
I'll look at this I guess.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 4•1 year ago
|
||
Oh right, it doesn't like regressions that are tasks.
Assignee | ||
Updated•1 year ago
|
Assignee | ||
Comment 5•1 year ago
|
||
It turns out that there are no external callers of RemoveElementsAtUnsafe(), so the simplest fix is to make it private again and just add a debug bounds check to RemoveElementAtUnsafe().
Assignee | ||
Comment 6•1 year ago
|
||
Also make RemoveElementsAtUnsafe() private again because there are no
external callers. If any external callers are added, then we probably
want them to be made to a different version that does checks in
debug builds.
Comment 8•1 year ago
|
||
bugherder |
Description
•