Closed Bug 629817 Opened 9 years ago Closed 9 years ago

We need an AutoShapeVector to root shape vectors on the stack

Categories

(Core :: JavaScript Engine, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- final+
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: billm, Assigned: billm)

Details

(Whiteboard: [sg:critical?][hardblocker][has patch][fixed-in-tracemonkey])

Attachments

(1 file)

In JSObject::copyPropertiesFrom, we construct a Vector<const Shape *>. Then we call cx->compartment->wrap(cx, &getter), which can GC. This is a GC hazard. Moving shapes to the GC heap will not fix this.
Attached patch fixSplinter Review
This adds an AutoShapeVector class and uses it in jsobj.cpp.

Since this code is similar to AutoIdVector and AutoValueVector, I moved most of this code into a template.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #508927 - Flags: review?(lw)
Comment on attachment 508927 [details] [diff] [review]
fix

Very nice.
Attachment #508927 - Flags: review?(lw) → review+
GC safety issue, probably exploitable in some way.
blocking2.0: --- → final+
Whiteboard: [hardblocker]
Whiteboard: [hardblocker] → [hardblocker][has patch]
Whiteboard: [hardblocker][has patch] → [sg:critical?][hardblocker][has patch]
http://hg.mozilla.org/tracemonkey/rev/05365e5ff01b
Whiteboard: [sg:critical?][hardblocker][has patch] → [sg:critical?][hardblocker][has patch][fixed-in-tracemonkey]
++bill, thanks for fixing this
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.