Closed
Bug 963738
Opened 11 years ago
Closed 10 years ago
Handle Arrays in the analysis
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla29
Tracking | Status | |
---|---|---|
firefox40 | --- | fixed |
People
(Reporter: sfink, Assigned: sfink)
References
Details
Attachments
(5 files, 2 obsolete files)
(deleted),
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
Value[] foo = { ... };
is currently being entirely ignored, because it shows up in the analysis as an "Array", and the analysis only knows "Pointer" and "CSU" (Class/Struct/Union.)
Assignee | ||
Comment 1•11 years ago
|
||
Large bump in the number of hazards.
Attachment #8365276 -
Flags: review?(terrence)
Assignee | ||
Updated•11 years ago
|
Group: core-security
Comment 2•11 years ago
|
||
Comment on attachment 8365276 [details] [diff] [review]
Handle Arrays in the analysis
Review of attachment 8365276 [details] [diff] [review]:
-----------------------------------------------------------------
r=me
Attachment #8365276 -
Flags: review?(terrence) → review+
Comment 3•11 years ago
|
||
I've verified that all identified hazards are false positives or in tests, so opening up.
Group: core-security
Comment 4•11 years ago
|
||
This is all the low-hanging fruit. I have one other largish patch for nsJSNPRuntime, which I've split off for gecko peer review. There are three remaining hazards which are all false positives for which simple code reorganization will not work. We'll need to think of some other mechanism(s) for those.
Attachment #8366919 -
Flags: review?(jcoppeard)
Comment 5•11 years ago
|
||
Try run for the stack:
https://tbpl.mozilla.org/?tree=Try&rev=f29bb9b0d9b6
Comment 6•11 years ago
|
||
Will flag this for review when the try run is green.
Comment 7•11 years ago
|
||
Comment on attachment 8366950 [details] [diff] [review]
hazard_npapi-v0.diff
Review of attachment 8366950 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/plugins/base/nsJSNPRuntime.cpp
@@ -634,5 @@
> } else {
> fv = OBJECT_TO_JSVAL(npjsobj->mJSObj);
> }
>
> - JS::Value jsargs_buf[8];
Could we use AutoValueVector here? It looks like it will handle allocating the elements possibly-inline for us.
Comment 8•11 years ago
|
||
Comment on attachment 8366919 [details] [diff] [review]
hazards_array-v0.diff
Review of attachment 8366919 [details] [diff] [review]:
-----------------------------------------------------------------
This all looks good.
Attachment #8366919 -
Flags: review?(jcoppeard) → review+
Comment 9•11 years ago
|
||
I noticed the try run was failing. It turns out this was caused by the fix for bug 962256, so I kicked off a new one without that patch:
https://tbpl.mozilla.org/?tree=Try&rev=916abaa43b1f
Comment 10•11 years ago
|
||
Try looks good:
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/ce4d2dd81858
Comment 11•11 years ago
|
||
Great idea, Jon! The default inline count is even 8, so we don't even need to pass through new template args to get identical behavior.
Attachment #8367698 -
Flags: review?(benjamin)
Comment 12•11 years ago
|
||
This time with more qreffing.
Attachment #8366950 -
Attachment is obsolete: true
Attachment #8367698 -
Attachment is obsolete: true
Attachment #8367698 -
Flags: review?(benjamin)
Attachment #8367709 -
Flags: review?(benjamin)
Comment 13•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Updated•11 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Whiteboard: [leave open]
Updated•11 years ago
|
Attachment #8367709 -
Flags: review?(benjamin) → review+
Comment 14•11 years ago
|
||
Comment 15•11 years ago
|
||
Comment 16•11 years ago
|
||
And we're good now.
Status: REOPENED → RESOLVED
Closed: 11 years ago → 11 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 17•10 years ago
|
||
Whoops, this should never have been closed. The actual hazards have been fixed, but the analysis patch never landed because there were some nuisance false positives left.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 18•10 years ago
|
||
When adding in stack arrays to the analysis, I hit a false positive that looked
something like this:
GCPointer localArray[10];
GCPointer *data = nullptr;
localArray[3] = JS::NewGCThing(...);
if (...)
data = localArray;
canGC();
if (data != localArray)
free(data);
The idea is that you get a fixed-size buffer on the stack to store a set of GC pointers, and if you need more space it gets malloced. The analysis sees this as a hazard, because 'localArray' is live after the canGC() call due to its use in the |if (data != localArray)| call. But its *contents* are never examined, so this is a false positive -- if a GC thing in localArray were moved, nothing would ever see it.
So I'd like to allow this use by saying that Assume(...var...) doesn't extend var's live range, unless it's in the form of Assume(...*var...).
I believe that this might also help with situations like:
JSObject *raw = ...;
RootedObject rooted(cx, raw);
canGC();
if (rooted != raw) {
...do expensive fixup stuff...
}
though perhaps the fixup stuff will always end up using 'raw' in a way that extends the live range? I haven't looked at examples. (The attached patch does not ignore any Assign or Call that uses the variable without dereferencing it.)
Attachment #8585561 -
Flags: review?(bhackett1024)
Updated•10 years ago
|
Attachment #8585561 -
Flags: review?(bhackett1024) → review+
Assignee | ||
Comment 19•10 years ago
|
||
Ok, now that I'm all educated on interning (pinning) and understand that this is not a hazard because of the interning (pinning), I agree that this should just be annotated away.
The most precise annotation I could come up with is for XPCNativeMember (since I didn't want to annotate away jsid entirely, even though an argument could be made for it.)
But it's a weird annotation. And I hope to stop pinning these jsids, in which case we'll need to root here after all. But that will also require fixing NPIdentifier, so I stuck in an annotation for it at the same time. (The analysis currently doesn't see it because the compiler only sees it as a void*.) That way, I'll remember to remove both annotations at the same time.
Attachment #8588745 -
Flags: review?(terrence)
Updated•10 years ago
|
Attachment #8588745 -
Flags: review?(terrence) → review+
Assignee | ||
Updated•10 years ago
|
Whiteboard: [leave open]
Comment 20•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b471ab566d1c
https://hg.mozilla.org/mozilla-central/rev/be2e7aeee256
https://hg.mozilla.org/mozilla-central/rev/3ac7d11365a2
Status: REOPENED → RESOLVED
Closed: 11 years ago → 10 years ago
status-firefox40:
--- → fixed
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•