Closed
Bug 551507
Opened 15 years ago
Closed 15 years ago
Bad auto root usage in jstypedarray.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: Waldo)
References
Details
(Whiteboard: [sg:critical?] fixed-in-tracemonkey)
Attachments
(1 file)
1.89 KB,
patch
|
Waldo
:
review+
|
Details | Diff | Splinter Review |
js_CreateTypedArray from jstypedarray.cpp contains:
...
jsval vals[2];
AutoArrayRooter tvr(cx, JS_ARRAY_LENGTH(vals), vals);
if (!js_NewNumberInRootedValue(cx, jsdouble(nelements), &vals[0]))
return NULL;
This does not null the vals array before rooting it with tvr. If js_NewNumberInRootedValue triggers the GC, than that GC will try to mark unitialized value.
Comment 1•15 years ago
|
||
My bad. I reviewed it.
Assignee: general → gal
Attachment #431666 -
Flags: review?(igor)
Updated•15 years ago
|
Whiteboard: [sg:critical?]
Comment 2•15 years ago
|
||
This is only in trunk and not in any of our products.
Assignee | ||
Comment 3•15 years ago
|
||
Comment on attachment 431666 [details] [diff] [review]
patch
Stealing...
I suggest JSVAL_NULL simply because that's 0 and might conceivably initialize faster, with no semantic difference -- or it might just be talismanic.
Attachment #431666 -
Flags: review?(igor) → review+
Changed to NULL and pushed to tm, at brendan's request:
http://hg.mozilla.org/tracemonkey/rev/80fc5dcabaf9
Some stack helpers for this might be nice.. e.g. RootedJSValArray vals(4); or something.
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Sayrer, can we get this merged pretty soon?
Comment 7•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•