Fix the string corruption bug #428
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
`JS::UniqueChars` will free the string buffer in its destructor, so it must be kept alive until the end of the function
String buffers memory would be moved around during a minor GC (nursery collection).
The string buffer pointer obtained by `JS::Get{Latin1,TwoByte}LinearStringChars` remains valid only as long as no GC happens.
Even though `JS::PersistentRootedValue` does keep the string buffer from being garbage-collected, it does not guarantee the buffer would not be moved elsewhere during a GC, and so invalidates the string buffer pointer.
| if (id.isString()) { | ||
| JS::RootedString idString(cx, id.toString()); | ||
| const char *methodName = JS_EncodeStringToUTF8(cx, idString).get(); | ||
| JS::UniqueChars idString = JS_EncodeStringToUTF8(cx, JS::RootedString(cx, id.toString())); |
There was a problem hiding this comment.
dos this fix a heap use after free error?
There was a problem hiding this comment.
Yes, it also fixes one, but not the main one that's due to the GC moving the string buffer around.
This one is about that the JS::UniqueChars obtained by JS_EncodeStringToUTF8(cx, idString) gets free-ed immediately after this line.
There was a problem hiding this comment.
yes, as expected, not the main one
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
String buffers memory would be moved around during a minor GC (nursery collection).
The string buffer pointer obtained by
JS::Get{Latin1,TwoByte}LinearStringCharsremains valid only as long as no GC happens.Even though
JS::PersistentRootedValuedoes keep the string buffer from being garbage-collected, it does not guarantee the buffer would not be moved elsewhere during a GC, and so invalidates the string buffer pointer.The direction of @caleb-distributive's fix in PR #417 is correct.
However, from my testing, moving string buffers only happens during nursery collections (minor GC, hooked by
JS::AddGCNurseryCollectionCallback).The changes in PR 417 only check if the memory address of string buffers has changed during a full GC (hooked by
JS_SetGCCallback).Nursery collections can happen much more frequently than full GCs.
Also, https://bugzilla.mozilla.org/show_bug.cgi?id=1880044 might have changed the behaviour for garbage collection of string buffers. The latest SpiderMonkey commit on mozilla-central has landed changes to allocate flattened string buffers in the nursery.
This PR would solve the root cause of the following issues: (All because of the string corruption bug)