Closed
Bug 630735
Opened 13 years ago
Closed 13 years ago
NodeVector isn't GC-safe
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jorendorff, Assigned: dherman)
Details
(Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
5.82 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
gczeal(2);
var s = '';
for (var i = 0; i < 1000; i++)
s += i + ',';
Reflect.parse('[' + s + ']', {loc: false});
Assertion failure: addr % sizeof(FreeCell) == 0, at d:\dev\tracemonkey\js\src\jsgc.h:367
jsreflect.cpp defines NodeVector this way:
typedef Vector<Value, 8> NodeVector;
and it is only used on the stack. If I understand correctly, that will be safe for the first 8 Values. After that, the vector's storage is malloc'd, and the GC does not pursue the pointer from the Vector to the heap.
So I think it needs to be, instead:
typedef AutoValueVector NodeVector;
and we'll also have to change every place one is declared, to pass the cx to the constructor.
|
||
Updated•13 years ago
|
Group: core-security
|
|
||
Comment 1•13 years ago
|
||
Any chance of content getting hold of Reflect or content causing chrome to act on it?
|
Assignee | |
Comment 2•13 years ago
|
||
Not exposed to chrome. Shell-only. Unless it, like, uses ctypes to extract the functions from the FF binary. But I'll post a patch asap. Dave
|
|
||
Comment 3•13 years ago
|
||
In that case we don't have to hide this. But yes, please fix.
Group: core-security
|
|
Assignee | |
Comment 4•13 years ago
|
||
Switching to AutoValueVector is trivial (Vector already takes cx in its constructor) but it still crashes on
gczeal(2), Reflect.parse(uneval(new Array(1000)), {loc:false})
Will investigate.
Dave|
|
Assignee | |
Comment 5•13 years ago
|
||
This patch includes the suggested fix, and also eliminates the bogus uses of JS_DestroyScript() in shell/js.cpp. Dave
Assignee: general → dherman
Attachment #509129 -
Flags: review?
|
|
Assignee | |
Updated•13 years ago
|
Attachment #509129 -
Flags: review? → review?(jorendorff)
|
Reporter | |
Comment 6•13 years ago
|
||
Comment on attachment 509129 [details] [diff] [review] use AutoValueVector for NodeVector, eliminate JS_DestroyScript In shell/js.cpp, Load: >+ ok = !script >+ ? JS_FALSE >+ : !compileOnly >+ ? JS_ExecuteScript(cx, thisobj, script, NULL) >+ : JS_TRUE; > if (!ok) > return JS_FALSE; > } Thanks for getting rid of these JS_DestroyScript calls. Merely as a matter of style, please change these lines to: if (!script) return JS_FALSE; if (!compileOnly && !JS_ExecuteScript(cx, thisobj, script, NULL)) return JS_FALSE; } r=me with that.
Attachment #509129 -
Flags: review?(jorendorff) → review+
|
||
Comment 7•13 years ago
|
||
Or, if you really want to write an expression, avoid ?: expressions with true or false in one arm: a ? false : b => a && b a ? true : b => a || b (with !! as needed to canonicalize ints as bools). /be
|
|
Assignee | |
Comment 8•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/53403b41c153
Whiteboard: fixed-in-tracemonkey
|
|
||
Comment 9•13 years ago
|
||
Late for a drive-by, just wanted to say: please use true and false now, not JS_TRUE and JS_FALSE, even with JSBool return type. The C++ bools convert nicely. It's the other direction that requires !!. /be
|
|
||
Comment 10•13 years ago
|
||
> a ? false : b => a && b
Er, of course:
a ? b : false => a && b
/be
|
||
Comment 11•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/53403b41c153
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•