Closed Bug 950118 Opened 12 years ago Closed 12 years ago

Don't allow the object metadata hook to reenter JS

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla29

People

(Reporter: bhackett1024, Assigned: bhackett1024)

References

Details

(Whiteboard: [qa-])

Attachments

(1 file)

patch
6.08 KB, patch
jimb
: review+
Details | Diff | Splinter Review
Allowing the object metadata hook to reenter JS allows all sorts of silly cases to be found by fuzzers and which have no bearing on how the metadata hook will be used. Users of this callback do not need to let it reenter JS (let alone invoke arbitrary JS). The attached patch uses AutoEnterAnalysis to disallow reentering JS within the metadata hook, and updates the C++ hook in the testing functions to do something interesting --- make a metadata object with the creation index and stack information for the allocation.
Attached patch patchSplinter Review
Assignee: nobody → bhackett1024
Attachment #8347337 - Flags: review?(jimb)
Comment on attachment 8347337 [details] [diff] [review] patch Review of attachment 8347337 [details] [diff] [review]: ----------------------------------------------------------------- Looks fine. I wonder whether this is part of a creeping expansion of the meaning of JSCompartment::activeAnalysis, but we can cross that bridge when we come to it.
Attachment #8347337 - Flags: review?(jimb) → review+
https://hg.mozilla.org/mozilla-central/rev/bec71542c055
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Whiteboard: [qa-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: