Closed Bug 551507 Opened 13 years ago Closed 13 years ago

Bad auto root usage in jstypedarray.cpp

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: igor, Assigned: Waldo)

References

Details

(Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Attachments

(1 file)

js_CreateTypedArray from jstypedarray.cpp contains:

...
    jsval vals[2];
    AutoArrayRooter tvr(cx, JS_ARRAY_LENGTH(vals), vals);

    if (!js_NewNumberInRootedValue(cx, jsdouble(nelements), &vals[0]))
        return NULL;

This does not null the vals array before rooting it with tvr. If js_NewNumberInRootedValue triggers the GC, than that GC will try to mark unitialized value.
Attached patch patchSplinter Review
My bad. I reviewed it.
Assignee: general → gal
Attachment #431666 - Flags: review?(igor)
Whiteboard: [sg:critical?]
This is only in trunk and not in any of our products.
Comment on attachment 431666 [details] [diff] [review]
patch

Stealing...

I suggest JSVAL_NULL simply because that's 0 and might conceivably initialize faster, with no semantic difference -- or it might just be talismanic.
Attachment #431666 - Flags: review?(igor) → review+
All yours waldo :)
Assignee: gal → jwalden+bmo
Changed to NULL and pushed to tm, at brendan's request:

http://hg.mozilla.org/tracemonkey/rev/80fc5dcabaf9

Some stack helpers for this might be nice.. e.g. RootedJSValArray vals(4); or something.
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Sayrer, can we get this merged pretty soon?
http://hg.mozilla.org/mozilla-central/rev/80fc5dcabaf9
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.