Skip to content

Commit 0c77f38

Browse files
committed
Added comments on why rooting is required compared to upstream
1 parent a7a99fa commit 0c77f38

File tree

5 files changed

+13
-7
lines changed

5 files changed

+13
-7
lines changed

js/src/builtin/Array.cpp

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1376,6 +1376,7 @@ bool js::array_join(JSContext* cx, unsigned argc, Value* vp) {
13761376
}
13771377

13781378
// Step 8.
1379+
// Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
13791380
JS::Rooted<JSString*> str(cx, sb.finishString());
13801381
if (!str) {
13811382
return false;

js/src/builtin/JSON.cpp

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2358,14 +2358,16 @@ bool json_stringify(JSContext* cx, unsigned argc, Value* vp) {
23582358
// needs to support returning undefined. So this is a little awkward
23592359
// for the API, because we want to support streaming writers.
23602360
if (!sb.empty()) {
2361+
// Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
23612362
JS::Rooted<JSString*> str(cx, sb.finishString());
23622363
if (!str) {
23632364
return false;
23642365
}
23652366

23662367
// TaintFox: Add stringify operation to taint flows.
2367-
str->taint().extend(TaintOperationFromContext(cx, "JSON.stringify", true));
2368-
2368+
if(str->isTainted()) {
2369+
str->taint().extend(TaintOperationFromContext(cx, "JSON.stringify", true));
2370+
}
23692371
args.rval().setString(str);
23702372
} else {
23712373
args.rval().setUndefined();

js/src/builtin/String.cpp

Lines changed: 5 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -526,6 +526,7 @@ static bool str_escape(JSContext* cx, unsigned argc, Value* vp) {
526526
return true;
527527
}
528528

529+
// Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
529530
JS::Rooted<JSString*> res(cx, newChars.toString(cx, newLength));
530531
if (!res) {
531532
return false;
@@ -970,7 +971,7 @@ JSString* js::SubstringKernel(JSContext* cx, HandleString str, int32_t beginInt,
970971
uint32_t len = lengthInt;
971972
// TaintFox
972973
SafeStringTaint newTaint = str->taint().safeSubTaint(begin, begin + len);
973-
974+
974975
/*
975976
* Optimization for one level deep ropes.
976977
* This is common for the following pattern:
@@ -1969,6 +1970,7 @@ static bool str_normalize(JSContext* cx, unsigned argc, Value* vp) {
19691970
form = NormalizationForm::NFC;
19701971
} else {
19711972
// Step 4.
1973+
// Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
19721974
JS::Rooted<JSLinearString*> formStr(cx, ArgToLinearString(cx, args, 0));
19731975
if (!formStr) {
19741976
return false;
@@ -3311,7 +3313,7 @@ static JSLinearString* TrimString(JSContext* cx, JSString* str, bool trimStart,
33113313
TrimString(linear->twoByteChars(nogc), trimStart, trimEnd, length, &begin,
33123314
&end);
33133315
}
3314-
3316+
// Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
33153317
JS::Rooted<JSLinearString*> result(cx, NewDependentString(cx, linear, begin, end - begin));
33163318

33173319
// TaintFox: Add trim operation to current taint flow.
@@ -4292,7 +4294,7 @@ static ArrayObject* CharSplitHelper(JSContext* cx, Handle<JSLinearString*> str,
42924294
splits->ensureDenseInitializedLength(0, resultlen);
42934295

42944296
for (size_t i = 0; i < resultlen; ++i) {
4295-
// TaintFox: code modified to avoid atoms.
4297+
// TaintFox: code modified to avoid atoms, and added rooting because TaintLocationFromContext can trigger a GC.
42964298
JS::Rooted<JSString*> sub(cx, NewDependentString(cx, str, i, 1));
42974299
// was:
42984300
// JSString* sub = staticStrings.getUnitStringForElement(cx, str, i);

js/src/jit/VMFunctions.cpp

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1356,7 +1356,8 @@ JSString* StringReplace(JSContext* cx, HandleString string,
13561356
MOZ_ASSERT(string);
13571357
MOZ_ASSERT(pattern);
13581358
MOZ_ASSERT(repl);
1359-
// Foxhound: this will propagate the taint but not add the operation
1359+
// Foxhound: this will propagate the taint but not add the operation.
1360+
// Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
13601361
Rooted<JSString*> str(cx, str_replace_string_raw(cx, string, pattern, repl));
13611362
if (str && str->taint().hasTaint()) {
13621363
str->taint().extend(TaintOperationFromContext(cx, "replace", true, pattern, repl));

js/src/jstaint.cpp

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -417,7 +417,7 @@ void JS::WriteTaintToFile(JSContext* cx, JSString* str, HandleValue location) {
417417

418418
char suffix_path[2048] = {0};
419419
SprintfLiteral(suffix_path, "%s.%d.%u.json", filename, getpid(), counter++);
420-
420+
421421
Fprinter output;
422422
if (!output.init(suffix_path)) {
423423
SEprinter p;

0 commit comments

Comments
 (0)