849453 - Protect various unsafe accesses to getAllocKind and sizeOfThis

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Terrence Cole [:terrence]]

Attachment: v0

Since Bug 841059 I have uncovered several more invalid calls to these methods on nursery things.

Comment 1

[Terrence Cole [:terrence]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/1ff4af81172a

Comment 2

[Phil Ringnalda (:philor)]

Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/79f5f64f33b1 for complete scorched-earth failure.

Comment 3

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/1ff4af81172a

Comment 4

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Comment on attachment 723021 [details] [diff] [review]
v0

Review of attachment 723021 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsobjinlines.h
@@ +1081,5 @@
>  
>  inline size_t
>  JSObject::computedSizeOfThisSlotsElements() const
>  {
> +    size_t n = js::gc::Arena::thingSize(js::gc::GetGCObjectFixedSlotsKind(numFixedSlots()));

I'm now concerned that this is wrong for arrays. They have fixed slots, bit numFixedSlots() == 0. However, I can't find any useful callers for computedSizeOfThisSlotsElements. Maybe we should just remove this function.

Comment 5

[Till Schneidereit [:till]]

(In reply to Bill McCloskey (:billm) from comment #4)
> I'm now concerned that this is wrong for arrays. They have fixed slots, bit
> numFixedSlots() == 0. However, I can't find any useful callers for
> computedSizeOfThisSlotsElements. Maybe we should just remove this function.

I've filed bug 852676 for removing computedSizeOfThisSlotsElements.

Comment 6

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/7ccd3fb99cd9

Please close again when this merges.

Comment 7

[Joe Drew (not getting mail)]

https://hg.mozilla.org/mozilla-central/rev/7ccd3fb99cd9