Undefined behavior in ShmemCharMapHashEntry
Categories
(Core :: Graphics: Text, defect)
Tracking
()
People
(Reporter: mozillabugs, Assigned: jfkthame)
References
Details
(Keywords: csectype-undefined, reporter-external, sec-low, Whiteboard: [adv-main126+])
Attachments
(2 files)
ShmemCharMapHashEntry (gfx/thebes/gfxPlatformFontList.h) invokes undefined behavior because it hasa mozilla::fontlist::Pointer which hasa std::atomic<uint32_t>, which is not guaranteed to be trivially copyable. Yet ShmemCharMapHashEntry is declared as ALLOW_MEMMOVE = true, which allows nsHashtable to move it using memmove() instead of by calling its move constructor/move assignment operator. memcpy/memmoveing is valid only for "trivially copyable" types; see C++ Standard N4750 s.6.7(1-3). Nothing in the Standard requires std::atomic to be trivially copyable, so this operation is UB. Indeed, std:: classes can be implemented in any manner that produces the correct observable behavior, N4750 s.4.1.1, unless explicitly documented otherwise.
Source from FIREFOX_123_0_1_RELEASE:
(gfx/thebes/gfxPlatformFontList.h):
89: class ShmemCharMapHashEntry final : public PLDHashEntryHdr {
...
127: enum { ALLOW_MEMMOVE = true };
128:
129: private:
130: // charMaps are stored in the shared memory that FontList objects point to,
131: // and are never deleted until the FontList (all referencing font lists,
132: // actually) have gone away.
...
134: mozilla::fontlist::Pointer mCharMap;
...
136: };
(gfx/thebes/SharedFontList.h):
28: struct Pointer {
...
101: // We store the block index and the offset within the block as a single
102: // atomic 32-bit value so we can safely modify a Pointer without other
103: // processes seeing a broken (partially-updated) value.
104: std::atomic<uint32_t> mBlockAndOffset;
105: };
|
||
Comment 1•1 year ago
|
||
"moderate" may be overstating this because the actual compilers we use appear to implement atomics as trivially copyable in practice.
|
||
Comment 2•1 year ago
|
||
The severity field is not set for this bug.
:lsalzman, could you have a look please?
For more information, please visit BugBot documentation.
|
Assignee | |
Comment 3•1 year ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #1)
"moderate" may be overstating this because the actual compilers we use appear to implement atomics as trivially copyable in practice.
Yeah, it seems unlikely this is currently a "real" problem, but we should fix it anyway. Who knows what weird thing some future compiler might do.
|
|
Assignee | |
Comment 4•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
||
Comment 6•1 year ago
|
||
|
||
Comment 7•1 year ago
|
||
Doesn't feel like something we need to worry about backporting, but feel free to nominate for ESR approval if you feel strongly otherwise.
|
|
||
Comment 8•1 year ago
|
||
changing bug to sec-low, but we can bump it back up if it's shown that this is a realistic problem
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Comment 9•1 year ago
|
||
|
||
Updated•1 year ago
|
|
||
Updated•1 year ago
|
|
|
||
Updated•11 months ago
|
Description
•