Closed
Bug 938615
Opened 11 years ago
Closed 11 years ago
avoid GC hazard in ScriptSource::substring
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: luke, Assigned: luke)
References
Details
(Keywords: sec-high, Whiteboard: [adv-main28+])
Attachments
(1 file, 1 obsolete file)
|
10.21 KB,
patch
|
Benjamin
:
review+
|
Details | Diff | Splinter Review |
Actually, I lied in bug 938390 comment 7; it looks like ScriptSource::substring doesn't AutoSupressGC and so a GC at js_NewStringCopyN<CanGC> could wipe out 'chars'. I'll do what I was proposed in that bug.
|
Assignee | |
Updated•11 years ago
|
Group: core-security
|
|
Assignee | |
Comment 1•11 years ago
|
||
Attachment #832347 -
Flags: review?(benjamin)
|
||
Comment 2•11 years ago
|
||
Comment on attachment 832347 [details] [diff] [review]
fix-source-data-bug
Review of attachment 832347 [details] [diff] [review]:
-----------------------------------------------------------------
Why do SourceDataCache methods initialize the guard object rather than the constructor of AutoSupressPurge? To avoid pinning the cache if its not needed?
|
|
Assignee | |
Comment 3•11 years ago
|
||
(In reply to :Benjamin Peterson from comment #2)
Oh, it's arbitrary, I suppose. I definitely like having the methods take the AutoSuppressPurge argument b/c it forces you to think about it. I suppose an alternative is to have the constructor of AutoSuppressPurge take a JSRuntime* and to the inc there and then just have the SourceDataCache methods assert it's the right one. Do you think that would be better?
|
|
||
Comment 4•11 years ago
|
||
Oh, I definitely like that you have to pass the guard to chars(). I just thought it would be more deterministic if you also pinned the cache on construction of the guard. It would also prevent the guard from being initialized twice if you for some reason called put() or lookup() with the same guard.
|
|
Assignee | |
Comment 5•11 years ago
|
||
Yes, that does sound nicer.
Attachment #832347 -
Attachment is obsolete: true
Attachment #832347 -
Flags: review?(benjamin)
Attachment #832458 -
Flags: review?(benjamin)
|
|
||
Comment 6•11 years ago
|
||
Comment on attachment 832458 [details] [diff] [review]
fix-source-data-bug
Review of attachment 832458 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks for tidying that up.
::: js/src/jsscript.cpp
@@ +3184,5 @@
> if (!scriptChars)
> return false;
>
> + SourceDataCache::AutoSuppressPurge asp2(cx);
> + const jschar *lazyChars = lazy->source()->chars(cx, asp2);
Presumably you can reuse |asp1| here?
::: js/src/jsscript.h
@@ +315,5 @@
> + {
> + SourceDataCache &cache_;
> + mozilla::DebugOnly<size_t> oldValue_;
> + public:
> + AutoSuppressPurge(JSContext *cx);
explicit
Attachment #832458 -
Flags: review?(benjamin) → review+
|
|
Assignee | |
Comment 7•11 years ago
|
||
(In reply to :Benjamin Peterson from comment #6)
> Presumably you can reuse |asp1| here?
Oops, yes, now we can.
|
|
Assignee | |
Comment 8•11 years ago
|
||
|
||
Comment 9•11 years ago
|
||
How far back does this problem go?
status-firefox28:
--- → affected
Keywords: sec-high
|
|
Assignee | |
Comment 10•11 years ago
|
||
Looks like it's on release, at least. For context, I think it would be pretty difficult to hit this bug. I already checked crash-stats and nothing in JSScript::substring.
|
||
Comment 11•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
|
||
Updated•11 years ago
|
|
||
Updated•11 years ago
|
|
|
||
Comment 12•11 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #10)
> Looks like it's on release, at least. For context, I think it would be
> pretty difficult to hit this bug. I already checked crash-stats and nothing
> in JSScript::substring.
One of the things we're trying to figure out is if it affects ESR24.
Is there a reason we didn't nominate this for Firefox 27 as a sec-high bug?
|
|
||
Updated•11 years ago
|
Flags: needinfo?(luke)
|
|
Assignee | |
Comment 13•11 years ago
|
||
Since this was theoretical, not discovered, and likely never to happen in practice, I thought it was least risky to let it ride the trains.
Flags: needinfo?(luke)
|
|
||
Comment 14•11 years ago
|
||
Do we need this on ESR24 since it is a sec-high? It isn't clear if it affects ESR24 to me.
|
|
||
Updated•11 years ago
|
Flags: needinfo?(luke)
|
|
Assignee | |
Comment 15•11 years ago
|
||
I assume ESR24 is affected. The patch has some non-trivial rebase conflicts when attempting to apply it to mozilla-esr24 so I'd be really hesitant to attempt to backport this patch lest a separate crash/leak be created.
Flags: needinfo?(luke)
|
|
||
Comment 16•11 years ago
|
||
Ok. Thanks. Dan, what do you think about this for ESR24? Should we avoid it because of potential issues.
Flags: needinfo?(dveditz)
|
|
||
Comment 17•11 years ago
|
||
Let's wontfix for esr24, not worth the risk. I'm not sure about b2g1.2 (gecko26). Doesn't look like any partners are taking that version anyway so maybe just mark it affected for now and we'll worry about it later if necessary.
Flags: needinfo?(dveditz)
|
||
Comment 18•11 years ago
|
||
This would also require some rebasing to land on b2g26. Luke, you OK calling this wontfix there?
Flags: needinfo?(luke)
|
|
||
Updated•11 years ago
|
|
|
||
Updated•11 years ago
|
Whiteboard: [adv-main28+]
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•