Closed Bug 355053 Opened 19 years ago Closed 19 years ago

Site's code can execute during GC (using generators and exceptions)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 380469

People

(Reporter: jruderman, Unassigned)

Details

(Keywords: testcase)

js> function gen() { try { yield true; } finally { throw 'foo'; } }; js> try { for(var p in gen()) throw this; } catch(e) { print("Caught: " + e); } Caught: [object global] js> print("*** Before GC"); gc(); print("*** After GC"); *** Before GC uncaught exception: foo before 9232, after 9232, break 01008000 *** After GC "Site-specified code executing when it shouldn't" scares me, so tentatively marking security-sensitive even though I haven't been able to make it crash.
Running finally during calls to JS_GC() or JS_MaybeGC() is a feature. See bug 352788 and its dependencies for reasoning why the current implementation is safe. Personally I do not like this feature of Python 2.5 iteration protocol, but alternatives would require to change JS 1.7 very significantly plus the current implementation seems to be sound.
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → INVALID
Group: security
Resolution: INVALID → DUPLICATE
You need to log in before you can comment on or make changes to this bug.