Closed
Bug 790108
Opened 12 years ago
Closed 12 years ago
IonMonkey: ion::ArrayPushDense is not moving GC safe
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | --- | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: dvander, Assigned: jandem)
References
Details
(Whiteboard: [adv-main18-])
Attachments
(2 files)
5.71 KB,
patch
|
dvander
:
review+
|
Details | Diff | Splinter Review |
1.76 KB,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
I'm not sure if this affects anything yet, but ion::ArrayPushDense calls js::array_push with a fake-o argv. The argv is not rooted. The items in the argv are rooted, but we won't explicitly mark argv.
Assignee | ||
Comment 1•12 years ago
|
||
Modifies the pop/shift/push stubs to take HandleObject and MutableHandleValue.
Assignee | ||
Comment 2•12 years ago
|
||
I'm not sure how to proceed with part 2. GC people, what's the right way to root argv here (obj is a HandleObject and v a HandleValue):
Value argv[] = { UndefinedValue(), ObjectValue(*obj), v };
if (!js::array_push(cx, 1, argv))
return false;
Similar-looking code in jsproxy.cpp uses AutoValueArray, is it okay to use it here or is it left over from the old GC rooters?
Comment 3•12 years ago
|
||
I fixed up something very similar in the jsapi-tests yesterday.
The answer is that we do not currently have a great answer. It is finally possible to use RootedValue here: we now have an empty constructor which will use the TlsRuntime. However, the inline initialization did not work when I tried it: I had to give an explicit size and split out the initializations onto separate lines.
Given the above, I think your best bet is to go with AutoValueArray. Once we do get a good solution in place (possibly after we enable exact rooting), we are going to revisit all of the places where we're using AutoValueArray anyway. We can fix it up at the same time as we fix the other uses.
Reporter | ||
Updated•12 years ago
|
Attachment #660004 -
Flags: review?(dvander) → review+
Assignee | ||
Comment 4•12 years ago
|
||
Use AutoValueArray per comment 3 (thanks!).
Attachment #660363 -
Flags: review?(terrence)
Comment 5•12 years ago
|
||
Since we don't currently have a moving GC this isn't a current security issue; I don't want to give it a scary rating but I don't want to lose track of it. Do we have a meta bug for moving GC that we could make this block?
Comment 6•12 years ago
|
||
This is also an issue for exact stack rooting, so blocking on that.
Blocks: ExactRooting
Comment 7•12 years ago
|
||
Comment on attachment 660363 [details] [diff] [review]
Part 2: Use AutoValueArray
Review of attachment 660363 [details] [diff] [review]:
-----------------------------------------------------------------
Awesome!
Attachment #660363 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 8•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/e84c9f521388
https://hg.mozilla.org/integration/mozilla-inbound/rev/d7ceaa28629d
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 9•12 years ago
|
||
Sorry, closed this without thinking.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 10•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e84c9f521388
https://hg.mozilla.org/mozilla-central/rev/d7ceaa28629d
Status: REOPENED → RESOLVED
Closed: 12 years ago → 12 years ago
status-firefox18:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox17:
--- → unaffected
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
Whiteboard: [adv-main18-]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•