Closed Bug 1987428 Opened 8 months ago Closed 8 months ago

CallArgs::operator[] should release assert

Categories

(Core :: JavaScript Engine, task)

Product:
Core
Component:
JavaScript Engine
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
144 Branch
Tracking Flags:
Tracking Status
firefox-esr115 --- fixed
firefox-esr140 --- fixed
firefox143 --- wontfix
firefox144 --- fixed

People

(Reporter: mccr8, Assigned: mccr8)

References

Details

Attachments

(3 files)

Bug 1987428 - Make CallArgs::operator[] consistent with ::get.
48 bytes, text/x-phabricator-request
Details
Bug 1987428 - Make CallArgs::operator[] consistent with ::get.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr140+
Details
Bug 1987428 - Make CallArgs::operator[] consistent with ::get.
48 bytes, text/x-phabricator-request
phab-bot
: approval-mozilla-esr115+
Details

CallArgs::get() does a bounds check on length(), but CallArgs::operator[] does not. This means that if somebody is refactoring code from the former to the latter it can become unsafe. The easiest way to fix this is to change the MOZ_ASSERT in operator[] to a MOZ_RELEASE_ASSERT.

Assignee: nobody → continuation
Status: NEW → ASSIGNED

I haven't done any performance testing but it is probably fine right?

I don't think I'm inherently opposed to this patch (though I wouldn't be surprised if there are workloads where we do in fact detect a perf regression -- this is on some hot paths).

I will say though, get and operator[] have different semantics and I'd be kind of uncomfortable with patches that are trying to change from one to the other without a fair amount of review.

(In reply to Matthew Gaudet (he/him) [:mgaudet] from comment #3)

I don't think I'm inherently opposed to this patch (though I wouldn't be surprised if there are workloads where we do in fact detect a perf regression -- this is on some hot paths).

I'm hoping that the branch being very well predicted will avoid performance regressions. That being said, there are a handful of places where we had to opt-out of release mode bounds checks for nsTArray because it was showing up on profiles. Still, I think a safe-by-default approach is better.

I will say though, get and operator[] have different semantics and I'd be kind of uncomfortable with patches that are trying to change from one to the other without a fair amount of review.

Yes, that is why I am not changing the semantics. An out-of-bounds access will be undefined behavior without my patch, so changing it to a crash is consistent.

See Also: 19873781987290
Pushed by amccreight@mozilla.com: https://github.com/mozilla-firefox/firefox/commit/16efc1c29ba3 https://hg.mozilla.org/integration/autoland/rev/46fe6d00eaf4 Make CallArgs::operator[] consistent with ::get. r=spidermonkey-reviewers,mgaudet

https://hg.mozilla.org/mozilla-central/rev/46fe6d00eaf4

Status: ASSIGNED → RESOLVED
Closed: 8 months ago
status-firefox144: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 144 Branch
QA Whiteboard: [qa-triage-done-c145/b144]

firefox-esr140 Uplift Approval Request

  • User impact if declined: This provides "belt and suspenders" protection against potential sec-high issues in SpiderMonkey. That being said, the fuzzers should be good at finding any place that has this problem so it is unlikely we have any.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: none
  • Risk associated with taking this patch: low
  • Explanation of risk level: This adds some checks that should never fail. The only real risk is performance regressions, but it has been on m-c for about a week and a half without any regressions so I think it is fine.
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9514387 - Flags: approval-mozilla-esr140?

firefox-esr115 Uplift Approval Request

  • User impact if declined: This provides "belt and suspenders" protection against potential sec-high issues in SpiderMonkey. That being said, the fuzzers should be good at finding any place that has this problem so it is unlikely we have any.
  • Code covered by automated testing: yes
  • Fix verified in Nightly: yes
  • Needs manual QE test: no
  • Steps to reproduce for manual QE testing: none
  • Risk associated with taking this patch: low
  • Explanation of risk level: This adds some checks that should never fail. The only real risk is performance regressions, but it has been on m-c for about a week and a half without any regressions so I think it is fine.
  • String changes made/needed: none
  • Is Android affected?: yes
Attachment #9514389 - Flags: approval-mozilla-esr115?
Attachment #9514387 - Flags: approval-mozilla-esr140? → approval-mozilla-esr140+
Attachment #9514389 - Flags: approval-mozilla-esr115? → approval-mozilla-esr115+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: