Added comments on why rooting is required compared to upstream

leeN · leeN · commit 0c77f38145af · 2025-03-26T08:29:24.000Z
diff --git a/js/src/builtin/Array.cpp b/js/src/builtin/Array.cpp
@@ -1376,6 +1376,7 @@ bool js::array_join(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   // Step 8.
+  // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
   JS::Rooted<JSString*> str(cx, sb.finishString());
   if (!str) {
     return false;
diff --git a/js/src/builtin/JSON.cpp b/js/src/builtin/JSON.cpp
@@ -2358,14 +2358,16 @@ bool json_stringify(JSContext* cx, unsigned argc, Value* vp) {
   // needs to support returning undefined. So this is a little awkward
   // for the API, because we want to support streaming writers.
   if (!sb.empty()) {
+    // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
     JS::Rooted<JSString*> str(cx, sb.finishString());
     if (!str) {
       return false;
     }
 
     // TaintFox: Add stringify operation to taint flows.
-    str->taint().extend(TaintOperationFromContext(cx, "JSON.stringify", true));
-
+    if(str->isTainted()) {
+      str->taint().extend(TaintOperationFromContext(cx, "JSON.stringify", true));
+    }
     args.rval().setString(str);
   } else {
     args.rval().setUndefined();
diff --git a/js/src/builtin/String.cpp b/js/src/builtin/String.cpp
@@ -526,6 +526,7 @@ static bool str_escape(JSContext* cx, unsigned argc, Value* vp) {
     return true;
   }
 
+  // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
   JS::Rooted<JSString*> res(cx, newChars.toString(cx, newLength));
   if (!res) {
     return false;
@@ -970,7 +971,7 @@ JSString* js::SubstringKernel(JSContext* cx, HandleString str, int32_t beginInt,
   uint32_t len = lengthInt;
   // TaintFox
   SafeStringTaint newTaint = str->taint().safeSubTaint(begin, begin + len);
-  
+
   /*
    * Optimization for one level deep ropes.
    * This is common for the following pattern:
@@ -1969,6 +1970,7 @@ static bool str_normalize(JSContext* cx, unsigned argc, Value* vp) {
     form = NormalizationForm::NFC;
   } else {
     // Step 4.
+    // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
     JS::Rooted<JSLinearString*> formStr(cx, ArgToLinearString(cx, args, 0));
     if (!formStr) {
       return false;
@@ -3311,7 +3313,7 @@ static JSLinearString* TrimString(JSContext* cx, JSString* str, bool trimStart,
     TrimString(linear->twoByteChars(nogc), trimStart, trimEnd, length, &begin,
                &end);
   }
-
+  // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
   JS::Rooted<JSLinearString*> result(cx, NewDependentString(cx, linear, begin, end - begin));
 
   // TaintFox: Add trim operation to current taint flow.
@@ -4292,7 +4294,7 @@ static ArrayObject* CharSplitHelper(JSContext* cx, Handle<JSLinearString*> str,
   splits->ensureDenseInitializedLength(0, resultlen);
 
   for (size_t i = 0; i < resultlen; ++i) {
-    // TaintFox: code modified to avoid atoms.
+    // TaintFox: code modified to avoid atoms, and added rooting because TaintLocationFromContext can trigger a GC.
     JS::Rooted<JSString*> sub(cx, NewDependentString(cx, str, i, 1));
     // was:
     // JSString* sub = staticStrings.getUnitStringForElement(cx, str, i);
diff --git a/js/src/jit/VMFunctions.cpp b/js/src/jit/VMFunctions.cpp
@@ -1356,7 +1356,8 @@ JSString* StringReplace(JSContext* cx, HandleString string,
   MOZ_ASSERT(string);
   MOZ_ASSERT(pattern);
   MOZ_ASSERT(repl);
-  // Foxhound: this will propagate the taint but not add the operation
+  // Foxhound: this will propagate the taint but not add the operation.
+  // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
   Rooted<JSString*> str(cx, str_replace_string_raw(cx, string, pattern, repl));
   if (str && str->taint().hasTaint()) {
     str->taint().extend(TaintOperationFromContext(cx, "replace", true, pattern, repl));
diff --git a/js/src/jstaint.cpp b/js/src/jstaint.cpp
@@ -417,7 +417,7 @@ void JS::WriteTaintToFile(JSContext* cx, JSString* str, HandleValue location) {
 
   char suffix_path[2048] = {0};
   SprintfLiteral(suffix_path, "%s.%d.%u.json", filename, getpid(), counter++);
-  
+
   Fprinter output;
   if (!output.init(suffix_path)) {
     SEprinter p;

Original file line number	Diff line number	Diff line change
`@@ -1376,6 +1376,7 @@ bool js::array_join(JSContext* cx, unsigned argc, Value* vp) {`
`1376`	`1376`	`}`
`1377`	`1377`
`1378`	`1378`	`// Step 8.`
	`1379`	`+ // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.`
`1379`	`1380`	`JS::Rooted<JSString*> str(cx, sb.finishString());`
`1380`	`1381`	`if (!str) {`
`1381`	`1382`	`return false;`