Closed Bug 620376 Opened 15 years ago Closed 15 years ago

ArrayToIdVector from jsproxy.cpp should check for operation callback invocations

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: igor, Assigned: igor)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

v1
2.96 KB, patch
gal
: review+
Details | Diff | Splinter Review
ArrayToIdVector from jsproxy.cpp that is used to convert an array-like objects into a vector of ids contains the following code: js_GetLengthProperty(cx, obj, &length) ... for (jsuint n = 0; n < length; ++n) { if (!js_IndexToId(cx, n, idr.addr())) return false; ... } Since array-like objects can have holes, the length here can be arbitrary even if the array has no elements. So for a length like 2**32 - 1 the code may loop for very long time without querying for the operation callback invocation. The following test shows this ill-loping in the js shell: ~/m/tm/js/src> cat ~/s/x.js function test() { if (typeof timeout != "function") return; var p = Proxy.create({ enumerate: function() { return Array(1e9); }}); timeout(0.001); var n = 0; for (i in p) { ++n;} return n; } test(); ~/m/tm/js/src> ~/b/js/tmdbg64/js ~/s/x.js Script runs for too long, terminating. where the script continue to loop despite the termination flag set.
Attached patch v1Splinter Review
The patch adds missing JS_CHECK_OPERATION_LIMIT. It also removes erroneous JS_ReportErrorNumber after the failed js_GetLengthProperty as error should be already reported at that moment.
Assignee: general → igor
Attachment #498741 - Flags: review?(gal)
Comment on attachment 498741 [details] [diff] [review] v1 Thanks.
Attachment #498741 - Flags: review?(gal) → review+
Nominating for 2.0: the bug fixes a denial-of-service regression.
blocking2.0: --- → ?
http://hg.mozilla.org/tracemonkey/rev/e30d605097be
Whiteboard: fixed-in-tracemonkey
http://hg.mozilla.org/tracemonkey/rev/c166bfc18951 - follow up to fix the landed test to work under browser
blocking2.0: ? → beta9+
http://hg.mozilla.org/mozilla-central/rev/c166bfc18951
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
As per today's meeting, beta 9 will be a time-based release. Marking these all betaN+. Please move it back to beta9+ if you believe it MUST be in the next beta (ie: trunk is in an unshippable state without this)
blocking2.0: beta9+ → betaN+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: