Closed Bug 572232 Opened 14 years ago Closed 14 years ago

js_InvokeConstructor with clampReturn==JS_TRUE and user-controlled ctor is a gc hazard

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- final+
status1.9.2 --- .9-fixed
status1.9.1 --- .12-fixed

People

(Reporter: Waldo, Assigned: Waldo)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?][critsmash:investigating])

Attachments

(2 files)

Branch patch
615 bytes, patch
dvander
: review+
christian
: approval1.9.2.9+
christian
: approval1.9.1.12+
Details | Diff | Splinter Review
Patch for 1.9.0
1.51 KB, patch
dvander
: review+
Details | Diff | Splinter Review
See bug 567577 comment 9 and bug 567577 comment 10. I *think* we either need to add a tvr for the noted default-return object in js_InvokeConstructor or figure out whether __noSuchMethod__ functionality can ever be invoked in a constructing situation. The latter is probably hard, and the former is probably easy, which suggests probably the former is what we should do. This also shows up in JS_New on trunk (but conservative stack scanning saves us) and in fun_applyConstructor (Narcissus-only, so I think we don't care), but neither of these cases needs a change.
Cc'ing mrbkap who was involved in bug 453462, and gal who took over at some point. /be
Whiteboard: [sg:critical?]
this is still biting on branches, even if we get a conservative scanner on trunk, right?
Yes.
The patch in bug 567577 fixes this, I think.
(In reply to comment #4) > The patch in bug 567577 fixes this, I think. "Can we get a little more confidence than 'I Think'?" -- Damon Sicore
Waldo filed it. Waldo should decide. As far as I understand the bug report scanning the stack will find this root, so this is safe now. Waldo?
Comment 4 is correct with respect to trunk, even with conservative stack scanning turned off. We may not want to apply the patch there to branches exactly as is, however, as it does force clamping, which would be a web-visible change. Just adding the AutoObjectRooter (JSAutoTempValueRooter on branches) should be enough for branches, without compatibility concerns.
Waldo, could you please get a branch patch going?
Assignee: general → jwalden+bmo
Sure.
Status: NEW → ASSIGNED
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
status1.9.1: --- → ?
status1.9.2: --- → ?
Any news on the branch patch?
Attached patch Branch patchSplinter Review
Attachment #460709 - Flags: review?(dvander)
Attachment #460709 - Flags: review?(dvander) → review+
Attachment #460709 - Flags: approval1.9.2.9?
Attachment #460709 - Flags: approval1.9.1.12?
Comment on attachment 460709 [details] [diff] [review] Branch patch a=LegNeato for 1.9.2.9 and 1.9.1.12. Please land on mozilla-1.9.2 default and mozilla-1.9.1 default.
Attachment #460709 - Flags: approval1.9.2.9?
Attachment #460709 - Flags: approval1.9.2.9+
Attachment #460709 - Flags: approval1.9.1.12?
Attachment #460709 - Flags: approval1.9.1.12+
Attached patch Patch for 1.9.0Splinter Review
Attachment #471885 - Flags: review?
Attachment #471885 - Flags: review? → review?(dvander)
Attachment #471885 - Flags: review?(dvander) → review+
Group: core-security
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: