Closed
Bug 737245
Opened 12 years ago
Closed 12 years ago
Typed Arrays should handle cross-compartment wrappers
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla14
People
(Reporter: bholley, Assigned: sfink)
References
Details
Attachments
(3 files, 3 obsolete files)
|
1.19 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
|
2.56 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
|
4.56 KB,
patch
|
Details | Diff | Splinter Review |
Currently they're broken in all sorts of ways. Working up some patches now.
|
Reporter | |
Comment 1•12 years ago
|
||
This will do nasty things in the cross-compartment case. Thankfully, nobody uses it. Kill it.
Attachment #607714 -
Flags: review?(luke)
|
|
Reporter | |
Comment 2•12 years ago
|
||
Attachment #607715 -
Flags: review?(luke)
|
|
Reporter | |
Comment 3•12 years ago
|
||
Attachment #607716 -
Flags: review?(luke)
|
|
Reporter | |
Comment 4•12 years ago
|
||
TypedArray::getTypedArray currently doesn't do anything useful. All of the callers check js_IsTypedArray before calling it, so I don't see how it could ever walk up the proto chain like it purports to. I was tempted to remove it, but I was also running into issues where things like TypedArray::getLength were borking, and this seemed like a convenient fix. I'm not sure it's the right way to go though.
Attachment #607717 -
Flags: review?(luke)
|
|
Reporter | |
Comment 5•12 years ago
|
||
Attachment #607718 -
Flags: review?(luke)
|
||
Updated•12 years ago
|
Attachment #607714 -
Flags: review?(luke) → review+
|
|
||
Comment 6•12 years ago
|
||
Comment on attachment 607717 [details] [diff] [review] part 4 - Repurpose TypedArray::getTypedArray to do object unwrapping. v1 From irc: this is not the right strategy: random unwrapping mixes objects from different compartments which is a big cross-compartment hazard. To see some examples of what I think the "right" fix is, just grep ObjectClassIs. The strategy is: ask "are you X type" with ObjectClassIs and then use operations that work on proxies (like ToNumber, GetProperty, etc). A particularly relevant example is regexps where the proxy-safe operation is RegExpToShared. I think we need to do the analogous thing here; I'm thinking something like: // all of these assert ObjectClassIs(obj, ESClass_TypedArray) uint32_t *GetTypedArrayLength(JSObject *obj); void *GetTypedDataOffset(JSObject *obj); JSObject *GetTypedArrayBuffer(JSObject *obj); (Note that GetTypedArrayBuffer would return a wrapped ArrayBuffer if obj was a ccw.) The last creepy possibility is when you say "new Int8Array(buffer)" where buffer in a different compartment. Typed arrays point into the buffer of their ArrayBuffer so I think we absolutely cannot have the typed array in a different compartment from its buffer. Thus, the only thing that would work is to create the typed array in the buffer's compartment. Fortunately, there is already machinery to automatically call a native (in this case, TypedArrayTemplate::create) in another compartment: ProxyHandler::nativeCall. I'm sorry this is looking so invasive, but I don't think there is any other safe way. I would be happy to write the patch in a couple weeks once I've finished my current project.
Attachment #607717 -
Flags: review?(luke) → review-
|
|
||
Updated•12 years ago
|
Attachment #607715 -
Flags: review?(luke) → review+
|
|
||
Updated•12 years ago
|
Attachment #607716 -
Flags: review?(luke) → review+
|
|
||
Comment 7•12 years ago
|
||
Comment on attachment 607718 [details] [diff] [review] part 5 - Implement js_IsTypedArrayOfType and use it instead of explicit class checks. v1 Can you take fastClasses/slowClasses out of the TypedArray class? mxr shows two other uses of fastClasses and I'm sure more will pop up if we don't make it unavailable.
Attachment #607718 -
Flags: review?(luke)
|
|
Reporter | |
Comment 8•12 years ago
|
||
sfink is going to take over this work and merge it into what he's working on, and hopefully get it landed by mid next week. Thanks Steve!
Assignee: bobbyholley+bmo → sphink
|
Assignee | |
Comment 10•12 years ago
|
||
I'm effectively moving the changes from bugs 4 and 5 into bug 741041. Which means that the remaining patches in this bug are now landable.
|
|
Assignee | |
Comment 11•12 years ago
|
||
Comment on attachment 607717 [details] [diff] [review] part 4 - Repurpose TypedArray::getTypedArray to do object unwrapping. v1 Bug 711843 will change the JSAPI and add the checking at all relevant entry points, eliminating the use of getTypedArray outside of the internal typed array code.
Attachment #607717 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 12•12 years ago
|
||
Comment on attachment 607718 [details] [diff] [review] part 5 - Implement js_IsTypedArrayOfType and use it instead of explicit class checks. v1 Bug 711843 adds a different but equivalent API for this.
Attachment #607718 -
Attachment is obsolete: true
|
||
Comment 13•12 years ago
|
||
Attachment #607715 -
Attachment is obsolete: true
|
||
Comment 15•12 years ago
|
||
Try run for 815c44bf33eb is complete.
Detailed breakdown of the results available here:
https://tbpl.mozilla.org/?tree=Try&rev=815c44bf33eb
Results (out of 231 total builds):
success: 201
warnings: 28
failure: 2
Builds (or logs if builds failed) available at:
http://ftp.mozilla.org/pub/mozilla.org/firefox/try-builds/mhammond@skippinet.com.au-815c44bf33eb|
|
||
Comment 16•12 years ago
|
||
These try failures all seem unrelated to the patch (the android builds seem to be failing to connect to a host 10.250.51.93 and the linux debug builds seem to have issues with hg). Is it appropriate for me to push to inbound?
|
|
||
Comment 17•12 years ago
|
||
Pushed to inbound: changeset: 91015:1cbedc2d11c6 changeset: 91016:e67ea61f46b6 changeset: 91017:17e95355ad77
|
||
Comment 18•12 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/1cbedc2d11c6 http://hg.mozilla.org/mozilla-central/rev/e67ea61f46b6 http://hg.mozilla.org/mozilla-central/rev/17e95355ad77
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
|
||
Comment 19•12 years ago
|
||
(In reply to Ehsan Akhgari [:ehsan] from comment #18) > http://hg.mozilla.org/mozilla-central/rev/17e95355ad77 This contained a change to pymake. Please explain.
|
|
||
Comment 20•12 years ago
|
||
(In reply to Ms2ger from comment #19) > (In reply to Ehsan Akhgari [:ehsan] from comment #18) > > http://hg.mozilla.org/mozilla-central/rev/17e95355ad77 > > This contained a change to pymake. Please explain. Ack - damn, sorry about that. I was attempting to debug a failure in pymake but thought I'd kept that as a separate patch item but I screwed up. While it should have no negative impact it should be reverted. Should I do that (and if so, should I just to it directly to mozilla-central, or should I open a new bug, or something else)
|
|
||
Comment 21•12 years ago
|
||
Pushed a change to backout the pymake chunk to inbound as rev 91135:1caaf6428d93
You need to log in
before you can comment on or make changes to this bug.
Description
•