Closed Bug 551507 Opened 15 years ago Closed 15 years ago

Bad auto root usage in jstypedarray.cpp

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: igor, Assigned: Waldo)

References

Details

(Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Attachments

(1 file)

js_CreateTypedArray from jstypedarray.cpp contains: ... jsval vals[2]; AutoArrayRooter tvr(cx, JS_ARRAY_LENGTH(vals), vals); if (!js_NewNumberInRootedValue(cx, jsdouble(nelements), &vals[0])) return NULL; This does not null the vals array before rooting it with tvr. If js_NewNumberInRootedValue triggers the GC, than that GC will try to mark unitialized value.
Attached patch patchSplinter Review
My bad. I reviewed it.
Assignee: general → gal
Attachment #431666 - Flags: review?(igor)
Whiteboard: [sg:critical?]
This is only in trunk and not in any of our products.
Comment on attachment 431666 [details] [diff] [review] patch Stealing... I suggest JSVAL_NULL simply because that's 0 and might conceivably initialize faster, with no semantic difference -- or it might just be talismanic.
Attachment #431666 - Flags: review?(igor) → review+
All yours waldo :)
Assignee: gal → jwalden+bmo
Changed to NULL and pushed to tm, at brendan's request: http://hg.mozilla.org/tracemonkey/rev/80fc5dcabaf9 Some stack helpers for this might be nice.. e.g. RootedJSValArray vals(4); or something.
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Sayrer, can we get this merged pretty soon?
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: