Whitelist PLDHashTableOps.hashKey

RESOLVED FIXED in mozilla28

Status

()

Core
JavaScript Engine
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: sfink, Assigned: sfink)

Tracking

unspecified
mozilla28
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
Hazard:

Function 'uint8 mozilla::dom::Navigator::HasTelephonySupport(JSContext*, JSObject*)' has unrooted 'aGlobal' of type 'JSObject*' live across GC call 'uint32 mozilla::Preferences::GetBool(int8*, uint8*)' at dom/base/Navigator.cpp:1706
    dom/base/Navigator.cpp:1705: Assign(1,2, enabled := 0)
    dom/base/Navigator.cpp:1706: Call(2,3, GetBool("dom.telephony.enabled",enabled))
    dom/base/Navigator.cpp:1707: Call(3,4, __temp_1 := __builtin_expect(!enabled*,0))
    dom/base/Navigator.cpp:1707: Assume(4,7, (__temp_1* != 0), false)
    dom/base/Navigator.cpp:1709: Call(7,8, __temp_3 := GetWindowFromGlobal(aGlobal*))
GC Function: uint32 mozilla::Preferences::GetBool(int8*, uint8*)
    PREF_GetBoolPref
    PrefHashEntry* pref_HashTableLookup(void*)
    PL_DHashTableOperate
    FieldCall: PLDHashTableOps.hashKey

I really hope nobody calls back into JS in order to compute a hash key. Am I naively optimistic?
(Assignee)

Comment 1

4 years ago
Created attachment 827539 [details] [diff] [review]
Whitelist PLDHashTableOps.hashKey
Attachment #827539 - Flags: review?(terrence)
(In reply to Steve Fink [:sfink] from comment #0)
> 
> I really hope nobody calls back into JS in order to compute a hash key. Am I
> naively optimistic?

Probably. If Preferences::GetBool is the only place where hashKey is causing problems, could we add JS::AutoAssertNoGC around the hash operations in GetBool instead?
Comment on attachment 827539 [details] [diff] [review]
Whitelist PLDHashTableOps.hashKey

Review of attachment 827539 [details] [diff] [review]:
-----------------------------------------------------------------

r=me For this approach. It turns out that since everything here is inlined here, inserting JS dependencies would be annoying.
Attachment #827539 - Flags: review?(terrence) → review+
https://hg.mozilla.org/mozilla-central/rev/3970d972ff8a
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
You need to log in before you can comment on or make changes to this bug.