Closed Bug 861586 Opened 12 years ago Closed 12 years ago

ParallelArray: CodeGenerator::visitOutOfLineParallelAbort should use ImmGCPtr instead of a (void*) of a JSScript*

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: nbp, Unassigned)

Details

(Keywords: sec-audit)

So far this is not a security issue as we are not marking any code in parallel execution mode, but we should *never* cast a JSScript pointer to a "void *". I don't know if this is a blocker if this is a blocker for exact rooting? Do we plan on moving JSScripts?
Keywords: sec-audit
visitOutOfLineParallelAbort no longer exists but visitOutOfLineAbortPar and other functions call loadOutermostJSScript and loadJSScriptForBlock and these use ImmGCPtr. (In reply to Nicolas B. Pierron [:nbp] from comment #0) > Do we plan on moving JSScripts? Nope, scripts are never allocated in the nursery.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.