Closed
Bug 355029
Opened 18 years ago
Closed 18 years ago
Broken JS_PUSH_TEMP_ROOT_OBJECT
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
VERIFIED
FIXED
People
(Reporter: igor, Assigned: igor)
References
Details
(Keywords: verified1.8.0.9, verified1.8.1.1, Whiteboard: [sg:nse] should be safe)
Attachments
(1 file, 2 obsolete files)
|
(deleted),
patch
|
Details | Diff | Splinter Review |
During the evolution of the fix for bug 352846 the macro JS_PUSH_TEMP_ROOT_OBJECT (that I added to have a convenient rooted pointer for JSObject*) ended up with a broken assignment to -3 of the counter.
Fortunately it is used only at one place in jsarray.c where GC hazard is not possible due to fragile properties of the current code that ensure rooting of object. Moreover, the GC scanning code in jsgc.c when interpreting the counter as array length uses pointer arithmentic and < as a compare operation so that -3 would not allow to access junk memory. So the fix can wait FF 2.0.1.
|
Assignee | |
Comment 1•18 years ago
|
||
Another oversight: I forgot to mark the bug as security-restricted.
Group: security
|
|
Assignee | |
Comment 2•18 years ago
|
||
Attachment #240817 -
Flags: review?(brendan)
|
||
Comment 3•18 years ago
|
||
Comment on attachment 240817 [details] [diff] [review]
Fix v1.
>+ * Alternatively, if a single pointer to rooted JSObject * is required, use
>+ * JS_PUSH_TEMP_ROOT_OBJECT(cx, NULL, &tvr). Then &tvr.u.object gives the
>+ * necessary pointer.
Comment should say something like "... gives the necessary pointer, which puns tvr.u.value safely because object tag bits are all zeroes."
/be
Attachment #240817 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 4•18 years ago
|
||
Patch to commit with updated comments.
Attachment #240817 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 5•18 years ago
|
||
Patch to commit with really updated comments.
Attachment #240836 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 6•18 years ago
|
||
I committed the patch from comment 5 to the trunk:
Checking in jscntxt.h;
/cvsroot/mozilla/js/src/jscntxt.h,v <-- jscntxt.h
new revision: 3.121; previous revision: 3.120
done
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
|
||
Updated•18 years ago
|
Flags: in-testsuite-
|
||
Comment 8•18 years ago
|
||
Comment 0 mentions this as a cleanup for bug 352846 which appears to apply to the 1.8.0 branch, but then marks this as a blocker for bug 354982 (Iterator cleanup) which does not. Nominating for 1.8.0.9 just to be on the safe side.
|
|
||
Updated•18 years ago
|
Flags: blocking1.8.1.1?
Flags: blocking1.8.1.1+
Flags: blocking1.8.0.9?
Flags: blocking1.8.0.9+
|
|
Assignee | |
Comment 9•18 years ago
|
||
Comment on attachment 240838 [details] [diff] [review]
Fix 1b for real
This is must-to-fix regression from bug 355029.
Attachment #240838 -
Flags: approval1.8.0.9?
|
|
Assignee | |
Comment 10•18 years ago
|
||
Comment on attachment 240838 [details] [diff] [review]
Fix 1b for real
I will include the regression fix into the patch for the bug itself.
Attachment #240838 -
Flags: approval1.8.0.9?
|
|
Assignee | |
Updated•18 years ago
|
|
|
Assignee | |
Comment 11•18 years ago
|
||
Fixed on 1.8.1 as a part of the patch for the branch from bug 352846.
Keywords: fixed1.8.1.1
|
|
Assignee | |
Comment 12•18 years ago
|
||
The fix committed to 1.8.0 branch from bug 354982 already had the changes to address this bug as well.
Keywords: fixed1.8.0.9
|
|
||
Comment 13•18 years ago
|
||
verified fixed 1.8.0.9, 1.8.1.1, 1.9 by code inspection: all branches contain (tvr)->count = -1; in JS_PUSH_TEMP_ROOT_OBJECT
Status: RESOLVED → VERIFIED
|
|
||
Updated•18 years ago
|
Group: security
You need to log in
before you can comment on or make changes to this bug.
Description
•