Closed
Bug 608799
Opened 14 years ago
Closed 14 years ago
potential GC hazard in GetCustomIterator from jsiter.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
status2.0 | --- | unaffected |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: igor, Assigned: igor)
References
Details
(Whiteboard: [sg:critical?] fixed by 607292)
GetCustomIterator, http://hg.mozilla.org/tracemonkey/file/52f667d7b312/js/src/jsiter.cpp#l398 , contains the following:
js_ReportValueError2(cx, JSMSG_BAD_TRAP_RETURN_VALUE,
-1, ObjectValue(*obj), NULL,
js_AtomToPrintableString(cx, atom))
Here js_AtomToPrintableString(cx, atom) creates a new string instance representing printable and quoted string and then uses JS_GetStringBytes to get its byte pointer. The pointer is only valid if the GC cannot happen before it is used. But js_ReportValueError2 uses DecompileValueGenerator before passing the ptr to JS_ReportErrorFlagsAndNumber. Yet the decompiler can allocate more GC things. So depending if it is possible to trigger the allocations during the above error reporting the GC hazard may or may not exist.
Assignee | ||
Updated•14 years ago
|
Assignee: general → igor
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Updated•14 years ago
|
blocking2.0: --- → ?
Updated•14 years ago
|
blocking2.0: ? → final+
Comment 1•14 years ago
|
||
Trivial fix.
Assignee | ||
Comment 2•14 years ago
|
||
I make this a dup of 607292 as that bug removed JS_GetStringBytes eliminating the problem here.
Status: NEW → RESOLVED
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
blocking2.0: final+ → ---
Closed: 14 years ago
status2.0:
--- → unaffected
Resolution: --- → DUPLICATE
Assignee | ||
Comment 3•14 years ago
|
||
Setting the bug as a dup was wrong as 607292 is not going to be backported. So I make this bug as 1.9.* only.
Status: RESOLVED → REOPENED
Resolution: DUPLICATE → ---
Summary: potential GC hazard in GetCustomIterator from jsiter.cpp → potential GC hazard in GetCustomIterator from jsiter.cpp on 1.9.*
Assignee | ||
Comment 4•14 years ago
|
||
Sorry for confusion, but this bug is in the code that were never landed on trunk. With the bug 607292 this bug is fixed.
Status: REOPENED → RESOLVED
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
Closed: 14 years ago → 14 years ago
status1.9.2:
--- → unaffected
Depends on: 607292
Resolution: --- → FIXED
Updated•14 years ago
|
Group: core-security
status1.9.1:
--- → unaffected
Summary: potential GC hazard in GetCustomIterator from jsiter.cpp on 1.9.* → potential GC hazard in GetCustomIterator from jsiter.cpp
Whiteboard: [sg:critical?] → [sg:critical?] fixed by 607292
You need to log in
before you can comment on or make changes to this bug.
Description
•