Closed
Bug 443871
Opened 16 years ago
Closed 16 years ago
Protect against null objects in a title's scope/map
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: bent.mozilla, Assigned: igor)
References
Details
(Keywords: fixed1.9.0.16, Whiteboard: [sg:dos] null deref)
Attachments
(1 file, 1 obsolete file)
|
1.65 KB,
patch
|
brendan
:
review+
dveditz
:
approval1.9.0.16+
|
Details | Diff | Splinter Review |
shaver, jorendorff, and brendan helped figure this out when i kept crashing here working on bug 437152. Apparently the assumption that a scope will always have an object is invalid. Patch attached.
|
Reporter | |
Comment 1•16 years ago
|
||
|
|
Reporter | |
Updated•16 years ago
|
Attachment #328296 -
Attachment is patch: true
Attachment #328296 -
Attachment mime type: application/octet-stream → text/plain
Attachment #328296 -
Flags: review?(brendan)
|
|
Reporter | |
Updated•16 years ago
|
Assignee: general → bent.mozilla
|
||
Updated•16 years ago
|
Version: unspecified → Trunk
|
||
Comment 2•16 years ago
|
||
Comment on attachment 328296 [details] [diff] [review] Patch >+ title->ownercx = NULL; /* NB: set last, after lock init */ That comment means what it says. This should not be moved up to common it in the early return if !obj and fall through cases. Instead, you want an if (obj) {...} around the whole js_MakeStringImmutable for loop. /be >+ JS_RUNTIME_METER(cx->runtime, sharedTitles); >+ > obj = scope->object; >+ if (!obj) >+ return; >+ > nslots = scope->map.freeslot; > for (i = 0; i != nslots; ++i) { > v = STOBJ_GET_SLOT(obj, i); > if (JSVAL_IS_STRING(v) && > !js_MakeStringImmutable(cx, JSVAL_TO_STRING(v))) { > /* > * FIXME bug 363059: The following error recovery changes runtime > * execution semantics, arbitrarily and silently ignoring errors > * except out-of-memory, which should have been reported through > * JS_ReportOutOfMemory at this point. > */ > STOBJ_SET_SLOT(obj, i, JSVAL_VOID); > } > } >- >- title->ownercx = NULL; /* NB: set last, after lock init */ >- JS_RUNTIME_METER(cx->runtime, sharedTitles); > } > > /* > * Given a title with apparently non-null ownercx different from cx, try to > * set ownercx to cx, claiming exclusive (single-threaded) ownership of title. > * If we claim ownership, return true. Otherwise, we wait for ownercx to be > * set to null (indicating that title is multi-threaded); or if waiting would > * deadlock, we set ownercx to null ourselves via ShareTitle. In any case,
|
|
Reporter | |
Comment 3•16 years ago
|
||
Updated to address brendan's comments.
Attachment #328296 -
Attachment is obsolete: true
Attachment #330564 -
Flags: review?(brendan)
Attachment #328296 -
Flags: review?(brendan)
|
|
||
Comment 4•16 years ago
|
||
Comment on attachment 330564 [details] [diff] [review] Patch, v2 I mentally diff -w'ed and it looks good ;-). /be
Attachment #330564 -
Flags: review?(brendan) → review+
|
|
Reporter | |
Comment 5•16 years ago
|
||
Pushed to moz-central.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
|
||
Updated•16 years ago
|
Flags: in-testsuite-
Flags: in-litmus-
|
||
Comment 6•15 years ago
|
||
For reference, the relevant revision is http://hg.mozilla.org/mozilla-central/rev/5f878cdd1d5e
|
Assignee | |
Comment 7•15 years ago
|
||
Most likely this bug is the reason for the top crash in bug 506823. Thus I suggest to backport it to 1.9.0. For the record, here is a scenario for this bug. scope->object becomes null when the object is GC-ed while the scope is shared among other reachable objects. This is possible, for example, for compiled functions. For them the code uses STOBJ_CLEAR_PARENT not to leak the compilation-time scope. But that still leaves Function.prototype scope shared. If that compile-time function is accessed from several threads, then we will get a bug like this since JS_OBJ_LOCK eventually calls js_FinishSharingTitle on such title and crash when the function tries to enumerate over object's slots.
Flags: blocking1.9.0.15?
|
||
Updated•15 years ago
|
Flags: blocking1.9.0.15? → blocking1.9.0.16?
|
||
Updated•15 years ago
|
Whiteboard: [sg:dos] null deref
|
|
||
Updated•15 years ago
|
Flags: wanted1.9.0.x+
Flags: blocking1.9.0.16?
Flags: blocking1.9.0.16+
|
|
||
Comment 8•15 years ago
|
||
Ben: Do you have time to backport this or do we need to find an owner for this 1.9.0.16 blocker? Igor: Can you own this? Code freeze is scheduled for November 10 at 11:59pm PDT.
|
|
Reporter | |
Comment 9•15 years ago
|
||
I would think someone more familiar with jseng should look here...
|
|
Assignee | |
Comment 10•15 years ago
|
||
Comment on attachment 330564 [details] [diff] [review] Patch, v2 After file name change the patch applies as-is to 1.9.0.
Attachment #330564 -
Flags: approval1.9.0.16?
|
|
Assignee | |
Updated•15 years ago
|
Assignee: bent.mozilla → igor
|
|
||
Comment 11•15 years ago
|
||
Comment on attachment 330564 [details] [diff] [review] Patch, v2 Approved for 1.9.0.16, a=dveditz for release-drivers
Attachment #330564 -
Flags: approval1.9.0.16? → approval1.9.0.16+
|
|
Assignee | |
Comment 12•15 years ago
|
||
landed to 1.9.0 branch: Checking in jslock.c; /cvsroot/mozilla/js/src/jslock.c,v <-- jslock.c new revision: 3.85; previous revision: 3.84
|
|
Assignee | |
Updated•15 years ago
|
Keywords: fixed1.9.0.16
|
||
Comment 13•15 years ago
|
||
Is there anything specific that can be done here to verify this for 1.9.0.16?
|
|
Assignee | |
Comment 14•15 years ago
|
||
(In reply to comment #13) > Is there anything specific that can be done here to verify this for 1.9.0.16? I am not aware f browser-related tests. On the other hand a test for js shell should be feasible. But I do not have time this week to create one.
You need to log in
before you can comment on or make changes to this bug.
Description
•