Closed
Bug 514112
Opened 15 years ago
Closed 15 years ago
MAX_DSLOTS_LENGTH is *net*, and avoid *size variable names for net lengths or capacities
Categories
(Core :: JavaScript Engine, defect, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
blocking1.9.1 | --- | - |
status1.9.1 | --- | wanted |
People
(Reporter: karlt, Assigned: gal)
References
Details
(Whiteboard: fixed-in-tracemonkey [sg:critical?])
Attachments
(2 files)
With gcc -Wtype-limits: /home/karl/moz/dev/js/src/jsarray.cpp: In function 'JSBool ResizeSlots(JSContext*, JSObject*, uint32, uint32)': /home/karl/moz/dev/js/src/jsarray.cpp:327: warning: comparison is always false due to limited range of data type If size == ~(uint32)0, size + 1 will overflow, and if realloc(ptr, 0) chooses to return non-NULL, the overflow will not be detected.
Reporter | ||
Comment 1•15 years ago
|
||
I don't actually understand the comment for MAX_DSLOTS_LENGTH. For ILP32, the value looks like the maximum allocatable size *including* the hidden slot. I read bug 489899 comment 13, but that didn't make it seem right. (At least ResizeSlots() seems to test against the right value for ILP32 systems, though.) http://hg.mozilla.org/mozilla-central/annotate/c07eb0b8b0f1/js/src/jsobj.h#l246 For LP64 systems, MAX_DSLOTS_LENGTH looks like a maximum possible total length that could be passed to realloc, but ResizeSlots() will never pass a length anything close to this.
Reporter | ||
Comment 2•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/annotate/b722d9fdf154/js/src/jsarray.cpp#l327
Comment 3•15 years ago
|
||
Yikes, who reviewed gal's patch? :-P /* * Maximum net gross capacity of the obj->dslots vector, excluding the additional * hidden slot used to store the length of the vector. */ #define MAX_DSLOTS_LENGTH (JS_MAX(~(uint32)0, ~(size_t)0) / sizeof(jsval)) "net gross" is an oxymoron. I'm a moron for r+'ing, though. Karl, thanks for reporting this. /be
Assignee: general → brendan
Status: NEW → ASSIGNED
OS: Linux → All
Hardware: x86 → All
Comment 4•15 years ago
|
||
Attachment #398081 -
Flags: review?(gal)
Assignee | ||
Updated•15 years ago
|
Attachment #398081 -
Attachment is patch: true
Attachment #398081 -
Attachment mime type: application/octet-stream → text/plain
Assignee | ||
Comment 5•15 years ago
|
||
Comment on attachment 398081 [details] [diff] [review] MAX_DSLOTS_LENGTH is *net*, and avoid *size variable names for net lengths or capacities 2nd time is the charm.
Attachment #398081 -
Flags: review?(gal) → review+
Comment 6•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/ec19fb045976 I'm usually a nut about "length" or "count" vs. (byte) "size", and net vs. gross. I shall redouble my efforts... /be
Whiteboard: fixed-in-tracemonkey
Reporter | ||
Comment 7•15 years ago
|
||
Comment on attachment 398081 [details] [diff] [review] MAX_DSLOTS_LENGTH is *net*, and avoid *size variable names for net lengths or capacities This makes things much easier to understand and deals with most of the issues in comment 1, thanks, but doesn't address comment 0. Consider either js_NewUninitializedArray(,, len = 0xFFFFFFFF): ResizeSlots(,,, newcap = 0xFFFFFFFF); or EnsureCapacity(,, newcap = 0xFFFFFFFF): newcap = JS_ROUNDUP(0, CAPACITY_CHUNK) - 1; ResizeSlots(,,, newcap = 0xFFFFFFFF); on LP64 systems such that MAX_DSLOTS_LENGTH = ~(uint64)0 / sizeof(jsval) - 1; and so 0xFFFFFFFF < MAX_DSLOTS_LENGTH. ResizeSlots(,,, newcap = 0xFFFFFFFF): newslots = cx->realloc(slots, bytes = 0); http://hg.mozilla.org/mozilla-central/annotate/c07eb0b8b0f1/js/src/jsutil.h#l195 js_realloc(slots, bytes = 0) bytes = sizeof(void*); return realloc(slots, 8); => newslots has 8 bytes set aside for 0xFFFFFFFF slots.
Comment 9•15 years ago
|
||
Argh, I ignored all the stinking uint32 parameters. Could we not fix this other than by your patch using JS_MIN and uint32(-1), if we just used size_t instead of uint32 for the relevant newlen, etc., params? /be
Reporter | ||
Comment 10•15 years ago
|
||
Yes. uint32 -> size_t makes sense to me.
Reporter | ||
Comment 11•15 years ago
|
||
One thing to consider though is whether a minimal patch will be necessary for 1.9.1.
Reporter | ||
Comment 12•15 years ago
|
||
And another is that uint32(-1) * sizeof is already 32GB of memory so allowing for more elements may be early planning for the future.
Reporter | ||
Comment 13•15 years ago
|
||
... sizeof(jsval) ...
Updated•15 years ago
|
Whiteboard: fixed-in-tracemonkey → fixed-in-tracemonkey [sg:critical?]
Comment 14•15 years ago
|
||
I am sucking at this -- back to 64-bit school for me. Andreas, can I tag out of the ring and let you hit this with a folding chair? I was your review wrestling partner on the regressing patch, but my bad-review guilt has run out :-P. /be
Assignee: brendan → gal
Comment 15•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/ec19fb045976
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 16•15 years ago
|
||
Filed bug 517644 on this.
Summary: [LP64] possible overflow in ResizeSlots() → MAX_DSLOTS_LENGTH is *net*, and avoid *size variable names for net lengths or capacities
Updated•15 years ago
|
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P2
Comment 17•15 years ago
|
||
So, do we have a patch yet that is 1.9.1 branch worthy?
Comment 18•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/be0689de1b9f
status1.9.2:
--- → beta1-fixed
Updated•15 years ago
|
blocking1.9.1: ? → .5+
Reporter | ||
Comment 19•15 years ago
|
||
Comment on attachment 398107 [details] [diff] [review] accurate MAX_DSLOTS_LENGTH when uint32(-1) < size_t(-1) The overflow was fixed in a different way in bug 517644. MAX_DSLOTS_LENGTH is not used on LP64 systems except in compile-time tests to see whether it is greater than MAX_DSLOTS_LENGTH32.
Attachment #398107 -
Flags: review?(brendan)
Comment 20•15 years ago
|
||
Does the patch that landed apply to 1.9.1? If so, can you please request approval. If not, please attach one that does. Code freeze is scheduled for November 10 at 11:59pm PDT.
Comment 21•15 years ago
|
||
Gal? Karl?
Reporter | ||
Comment 22•15 years ago
|
||
I don't actually understand what this fixes. The overflow reported in comment 0 was fixed in bug 517644.
Reporter | ||
Comment 23•15 years ago
|
||
... fixed on trunk, i mean.
Updated•15 years ago
|
blocking1.9.1: .6+ → .7+
Comment 24•14 years ago
|
||
64 bit Linux isn't a supported platform for Gecko 1.9.1. Drivers would accept a nominated patch (looks like it would be easy) if someone can figure out which of these applies to that branch.
blocking1.9.1: .8+ → -
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•