Protect various unsafe accesses to getAllocKind and sizeOfThis

RESOLVED FIXED in mozilla22

Status

()

defect
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: terrence, Assigned: terrence)

Tracking

Trunk
mozilla22
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

Posted patch v0Splinter Review
Since Bug 841059 I have uncovered several more invalid calls to these methods on nursery things.
Attachment #723021 - Flags: review?(wmccloskey)
Attachment #723021 - Flags: review?(wmccloskey) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/79f5f64f33b1 for complete scorched-earth failure.
https://hg.mozilla.org/mozilla-central/rev/1ff4af81172a
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Comment on attachment 723021 [details] [diff] [review]
v0

Review of attachment 723021 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsobjinlines.h
@@ +1081,5 @@
>  
>  inline size_t
>  JSObject::computedSizeOfThisSlotsElements() const
>  {
> +    size_t n = js::gc::Arena::thingSize(js::gc::GetGCObjectFixedSlotsKind(numFixedSlots()));

I'm now concerned that this is wrong for arrays. They have fixed slots, bit numFixedSlots() == 0. However, I can't find any useful callers for computedSizeOfThisSlotsElements. Maybe we should just remove this function.
Attachment #723021 - Flags: review+
(In reply to Bill McCloskey (:billm) from comment #4)
> I'm now concerned that this is wrong for arrays. They have fixed slots, bit
> numFixedSlots() == 0. However, I can't find any useful callers for
> computedSizeOfThisSlotsElements. Maybe we should just remove this function.

I've filed bug 852676 for removing computedSizeOfThisSlotsElements.
https://hg.mozilla.org/integration/mozilla-inbound/rev/7ccd3fb99cd9

Please close again when this merges.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
https://hg.mozilla.org/mozilla-central/rev/7ccd3fb99cd9
Status: REOPENED → RESOLVED
Closed: 6 years ago6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.