Closed Bug 548175 Opened 14 years ago Closed 14 years ago

String::Pointers is not safe to use across a GC collection, but String does anyway

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P2)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
flash10.1

People

(Reporter: stejohns, Assigned: stejohns)

Details

Attachments

(1 file, 1 obsolete file)

Patch v2
14.48 KB, patch
edwsmith
: review+
kpalacz
: review+
Details | Diff | Splinter Review 
The pointers in this struct could be invalidated by a GC collection: if the string was a static string pointing into an ABC's constant pool, and the ScriptBuffer containing the ABC is collected, and is allocated via non-GC memory, we'll point to bogus (possibly decommitted) memory.

We need to audit the usage of String::Pointers to ensure we don't use it across such a boundary.
Attached patch Patch (obsolete) — Splinter Review 
Assignee: nobody → stejohns

        Attachment #428611 -
        Flags: review?(edwsmith)

    
  

        Attachment #428611 -
        Attachment is patch: true

        Attachment #428611 -
        Attachment mime type: application/octet-stream → text/plain

    
  
Status: NEW → ASSIGNED
Flags: flashplayer-qrb+
Priority: -- → P2
Target Milestone: --- → flash10.1

    
  

        Attachment #428611 -
        Flags: review?(kpalacz)

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2Splinter Review
      

    


  
Krzysztof points out that with this patch, internSubstring can now produce a dependent string, which is undesirable in this case: a tiny substring could force a giant XML string to be held in memory. Revised patch simply calls fixDependentString() after substring(), which should do the prudent thing.

        Attachment #428611 -
        Attachment is obsolete: true

        Attachment #428791 -
        Flags: review?(edwsmith)

        Attachment #428611 -
        Flags: review?(kpalacz)

        Attachment #428611 -
        Flags: review?(edwsmith)

    
  

        Attachment #428791 -
        Flags: review?(kpalacz)

    
    

    
  
Comment on attachment 428791 [details] [diff] [review]
Patch v2

As a general comment, fixing this bug required looking into all the functions recursively called from inside every Pointers live range, and checking that no GC allocation can occur. As the code evolves, functions that didn't allocate before may start allocating, and the bug may reappear. 

A convention to distinguish recursively allocating functions from non-allocating functions would be helpful. One extreme idea would be require an explicit GC instance to be passed as the last argument to every potentially allocating function (that would make everyone think twice about adding an allocation where there wasn't any before!). It sounds painful, but I've seen a variant of it in the wild, so it's feasible (and things will only get worse if not only strings but other types of objects start moving around).

        Attachment #428791 -
        Flags: review?(kpalacz) → review+

    
    

    
  
Comment on attachment 428791 [details] [diff] [review]
Patch v2

we're eons from "obviously no bugs" and into solid "no obvious bugs" territory.

        Attachment #428791 -
        Flags: review?(edwsmith) → review+

    
    

    
  
http://hg.mozilla.org/tamarin-redux/rev/27233799b1b2
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
Verified in argo changeset 3750	27233799b1b2
Status: RESOLVED → VERIFIED
No longer blocks: 557022

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: