Closed
Bug 551507
Opened 14 years ago
Closed 14 years ago
Bad auto root usage in jstypedarray.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: Waldo)
References
Details
(Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Attachments
(1 file)
1.89 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
js_CreateTypedArray from jstypedarray.cpp contains: ... jsval vals[2]; AutoArrayRooter tvr(cx, JS_ARRAY_LENGTH(vals), vals); if (!js_NewNumberInRootedValue(cx, jsdouble(nelements), &vals[0])) return NULL; This does not null the vals array before rooting it with tvr. If js_NewNumberInRootedValue triggers the GC, than that GC will try to mark unitialized value.
Comment 1•14 years ago
|
||
My bad. I reviewed it.
Assignee: general → gal
Attachment #431666 -
Flags: review?(igor)
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Comment 2•14 years ago
|
||
This is only in trunk and not in any of our products.
Assignee | ||
Comment 3•14 years ago
|
||
Comment on attachment 431666 [details] [diff] [review] patch Stealing... I suggest JSVAL_NULL simply because that's 0 and might conceivably initialize faster, with no semantic difference -- or it might just be talismanic.
Attachment #431666 -
Flags: review?(igor) → review+
Changed to NULL and pushed to tm, at brendan's request: http://hg.mozilla.org/tracemonkey/rev/80fc5dcabaf9 Some stack helpers for this might be nice.. e.g. RootedJSValArray vals(4); or something.
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Sayrer, can we get this merged pretty soon?
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/80fc5dcabaf9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•