Closed
Bug 551507
Opened 14 years ago
Closed 14 years ago
Bad auto root usage in jstypedarray.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: Waldo)
References
Details
(Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Attachments
(1 file)
|
1.89 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
js_CreateTypedArray from jstypedarray.cpp contains:
...
jsval vals[2];
AutoArrayRooter tvr(cx, JS_ARRAY_LENGTH(vals), vals);
if (!js_NewNumberInRootedValue(cx, jsdouble(nelements), &vals[0]))
return NULL;
This does not null the vals array before rooting it with tvr. If js_NewNumberInRootedValue triggers the GC, than that GC will try to mark unitialized value.
|
||
Comment 1•14 years ago
|
||
My bad. I reviewed it.
Assignee: general → gal
Attachment #431666 -
Flags: review?(igor)
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?]
|
|
||
Comment 2•14 years ago
|
||
This is only in trunk and not in any of our products.
|
Assignee | |
Comment 3•14 years ago
|
||
Comment on attachment 431666 [details] [diff] [review] patch Stealing... I suggest JSVAL_NULL simply because that's 0 and might conceivably initialize faster, with no semantic difference -- or it might just be talismanic.
Attachment #431666 -
Flags: review?(igor) → review+
Changed to NULL and pushed to tm, at brendan's request: http://hg.mozilla.org/tracemonkey/rev/80fc5dcabaf9 Some stack helpers for this might be nice.. e.g. RootedJSValArray vals(4); or something.
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Sayrer, can we get this merged pretty soon?
|
||
Comment 7•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/80fc5dcabaf9
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•