potential GC hazard in GetCustomIterator from jsiter.cpp

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Igor Bukanov, Assigned: Igor Bukanov)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(status2.0 unaffected, status1.9.2 unaffected, status1.9.1 unaffected)

Details

(Whiteboard: [sg:critical?] fixed by 607292)

(Assignee)

Description

8 years ago
GetCustomIterator, http://hg.mozilla.org/tracemonkey/file/52f667d7b312/js/src/jsiter.cpp#l398 , contains the following:

js_ReportValueError2(cx, JSMSG_BAD_TRAP_RETURN_VALUE,
                     -1, ObjectValue(*obj), NULL,
                     js_AtomToPrintableString(cx, atom))

Here js_AtomToPrintableString(cx, atom) creates a new string instance representing printable and quoted string and then uses JS_GetStringBytes to get its byte pointer. The pointer is only valid if the GC cannot happen before it is used. But js_ReportValueError2 uses DecompileValueGenerator before passing the ptr to JS_ReportErrorFlagsAndNumber. Yet the decompiler can allocate more GC things. So depending if it is possible to trigger the allocations during the above error reporting the GC hazard may or may not exist.
(Assignee)

Updated

8 years ago
Assignee: general → igor
Whiteboard: [sg:critical?]

Updated

8 years ago
blocking2.0: --- → ?

Updated

8 years ago
blocking2.0: ? → final+

Comment 1

8 years ago
Trivial fix.
(Assignee)

Comment 2

8 years ago
I make this a dup of 607292 as that bug removed JS_GetStringBytes eliminating the problem here.
Status: NEW → RESOLVED
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: final+ → ---
Last Resolved: 8 years ago
status2.0: --- → unaffected
Resolution: --- → DUPLICATE
Duplicate of bug: 607292
(Assignee)

Comment 3

8 years ago
Setting the bug as a dup was wrong as 607292 is not going to be backported. So I make this bug as 1.9.* only.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: potential GC hazard in GetCustomIterator from jsiter.cpp → potential GC hazard in GetCustomIterator from jsiter.cpp on 1.9.*
(Assignee)

Comment 4

8 years ago
Sorry for confusion, but this bug is in the code that were never landed on trunk. With the bug 607292 this bug is fixed.
Status: REOPENED → RESOLVED
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
Last Resolved: 8 years ago8 years ago
status1.9.2: --- → unaffected
Depends on: 607292
Resolution: --- → FIXED
Group: core-security
status1.9.1: --- → unaffected
Summary: potential GC hazard in GetCustomIterator from jsiter.cpp on 1.9.* → potential GC hazard in GetCustomIterator from jsiter.cpp
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 607292
You need to log in before you can comment on or make changes to this bug.