Closed
Bug 548175
Opened 14 years ago
Closed 14 years ago
String::Pointers is not safe to use across a GC collection, but String does anyway
Categories
(Tamarin Graveyard :: Virtual Machine, defect, P2)
Tamarin Graveyard
Virtual Machine
Tracking
(Not tracked)
VERIFIED
FIXED
flash10.1
People
(Reporter: stejohns, Assigned: stejohns)
Details
Attachments
(1 file, 1 obsolete file)
14.48 KB,
patch
|
edwsmith
:
review+
kpalacz
:
review+
|
Details | Diff | Splinter Review |
The pointers in this struct could be invalidated by a GC collection: if the string was a static string pointing into an ABC's constant pool, and the ScriptBuffer containing the ABC is collected, and is allocated via non-GC memory, we'll point to bogus (possibly decommitted) memory. We need to audit the usage of String::Pointers to ensure we don't use it across such a boundary.
Assignee | ||
Comment 1•14 years ago
|
||
Assignee: nobody → stejohns
Attachment #428611 -
Flags: review?(edwsmith)
Assignee | ||
Updated•14 years ago
|
Attachment #428611 -
Attachment is patch: true
Attachment #428611 -
Attachment mime type: application/octet-stream → text/plain
Status: NEW → ASSIGNED
Flags: flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1
Updated•14 years ago
|
Attachment #428611 -
Flags: review?(kpalacz)
Assignee | ||
Comment 2•14 years ago
|
||
Krzysztof points out that with this patch, internSubstring can now produce a dependent string, which is undesirable in this case: a tiny substring could force a giant XML string to be held in memory. Revised patch simply calls fixDependentString() after substring(), which should do the prudent thing.
Attachment #428611 -
Attachment is obsolete: true
Attachment #428791 -
Flags: review?(edwsmith)
Attachment #428611 -
Flags: review?(kpalacz)
Attachment #428611 -
Flags: review?(edwsmith)
Assignee | ||
Updated•14 years ago
|
Attachment #428791 -
Flags: review?(kpalacz)
Comment 3•14 years ago
|
||
Comment on attachment 428791 [details] [diff] [review] Patch v2 As a general comment, fixing this bug required looking into all the functions recursively called from inside every Pointers live range, and checking that no GC allocation can occur. As the code evolves, functions that didn't allocate before may start allocating, and the bug may reappear. A convention to distinguish recursively allocating functions from non-allocating functions would be helpful. One extreme idea would be require an explicit GC instance to be passed as the last argument to every potentially allocating function (that would make everyone think twice about adding an allocation where there wasn't any before!). It sounds painful, but I've seen a variant of it in the wild, so it's feasible (and things will only get worse if not only strings but other types of objects start moving around).
Attachment #428791 -
Flags: review?(kpalacz) → review+
Comment 4•14 years ago
|
||
Comment on attachment 428791 [details] [diff] [review] Patch v2 we're eons from "obviously no bugs" and into solid "no obvious bugs" territory.
Attachment #428791 -
Flags: review?(edwsmith) → review+
Assignee | ||
Comment 5•14 years ago
|
||
http://hg.mozilla.org/tamarin-redux/rev/27233799b1b2
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•