@@ -526,7 +526,8 @@ static bool str_escape(JSContext* cx, unsigned argc, Value* vp) {
526526 return true ;
527527 }
528528
529- JSString* res = newChars.toString (cx, newLength);
529+ // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
530+ JS::Rooted<JSString*> res (cx, newChars.toString (cx, newLength));
530531 if (!res) {
531532 return false ;
532533 }
@@ -970,7 +971,7 @@ JSString* js::SubstringKernel(JSContext* cx, HandleString str, int32_t beginInt,
970971 uint32_t len = lengthInt;
971972 // TaintFox
972973 SafeStringTaint newTaint = str->taint ().safeSubTaint (begin, begin + len);
973-
974+
974975 /*
975976 * Optimization for one level deep ropes.
976977 * This is common for the following pattern:
@@ -1969,7 +1970,8 @@ static bool str_normalize(JSContext* cx, unsigned argc, Value* vp) {
19691970 form = NormalizationForm::NFC;
19701971 } else {
19711972 // Step 4.
1972- JSLinearString* formStr = ArgToLinearString (cx, args, 0 );
1973+ // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
1974+ JS::Rooted<JSLinearString*> formStr (cx, ArgToLinearString (cx, args, 0 ));
19731975 if (!formStr) {
19741976 return false ;
19751977 }
@@ -3311,8 +3313,8 @@ static JSLinearString* TrimString(JSContext* cx, JSString* str, bool trimStart,
33113313 TrimString (linear->twoByteChars (nogc), trimStart, trimEnd, length, &begin,
33123314 &end);
33133315 }
3314-
3315- JSLinearString* result = NewDependentString (cx, linear, begin, end - begin);
3316+ // Foxhound: We have to root the string here, as we introduce the TaintOperationFromContext call, which can trigger the GC.
3317+ JS::Rooted< JSLinearString*> result (cx, NewDependentString (cx, linear, begin, end - begin) );
33163318
33173319 // TaintFox: Add trim operation to current taint flow.
33183320 // the acutal trimming of taint ranges has been done in
@@ -4292,8 +4294,8 @@ static ArrayObject* CharSplitHelper(JSContext* cx, Handle<JSLinearString*> str,
42924294 splits->ensureDenseInitializedLength (0 , resultlen);
42934295
42944296 for (size_t i = 0 ; i < resultlen; ++i) {
4295- // TaintFox: code modified to avoid atoms.
4296- JSString* sub = NewDependentString (cx, str, i, 1 );
4297+ // TaintFox: code modified to avoid atoms, and added rooting because TaintLocationFromContext can trigger a GC .
4298+ JS::Rooted< JSString*> sub (cx, NewDependentString (cx, str, i, 1 ) );
42974299 // was:
42984300 // JSString* sub = staticStrings.getUnitStringForElement(cx, str, i);
42994301 if (!sub) {
0 commit comments