Added Rooting to avoid GC Hazards

leeN · leeN · commit a7a99fab0480 · 2025-03-25T11:34:36.000Z
Based on the GC Hazard analysis I fixed some of the dangerous code paths that was flagged.
diff --git a/js/src/builtin/Array.cpp b/js/src/builtin/Array.cpp
@@ -1376,7 +1376,7 @@ bool js::array_join(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   // Step 8.
-  JSString* str = sb.finishString();
+  JS::Rooted<JSString*> str(cx, sb.finishString());
   if (!str) {
     return false;
   }
diff --git a/js/src/builtin/JSON.cpp b/js/src/builtin/JSON.cpp
@@ -2358,7 +2358,7 @@ bool json_stringify(JSContext* cx, unsigned argc, Value* vp) {
   // needs to support returning undefined. So this is a little awkward
   // for the API, because we want to support streaming writers.
   if (!sb.empty()) {
-    JSString* str = sb.finishString();
+    JS::Rooted<JSString*> str(cx, sb.finishString());
     if (!str) {
       return false;
     }
diff --git a/js/src/builtin/String.cpp b/js/src/builtin/String.cpp
@@ -526,7 +526,7 @@ static bool str_escape(JSContext* cx, unsigned argc, Value* vp) {
     return true;
   }
 
-  JSString* res = newChars.toString(cx, newLength);
+  JS::Rooted<JSString*> res(cx, newChars.toString(cx, newLength));
   if (!res) {
     return false;
   }
@@ -1969,7 +1969,7 @@ static bool str_normalize(JSContext* cx, unsigned argc, Value* vp) {
     form = NormalizationForm::NFC;
   } else {
     // Step 4.
-    JSLinearString* formStr = ArgToLinearString(cx, args, 0);
+    JS::Rooted<JSLinearString*> formStr(cx, ArgToLinearString(cx, args, 0));
     if (!formStr) {
       return false;
     }
@@ -3312,7 +3312,7 @@ static JSLinearString* TrimString(JSContext* cx, JSString* str, bool trimStart,
                &end);
   }
 
-  JSLinearString* result = NewDependentString(cx, linear, begin, end - begin);
+  JS::Rooted<JSLinearString*> result(cx, NewDependentString(cx, linear, begin, end - begin));
 
   // TaintFox: Add trim operation to current taint flow.
   // the acutal trimming of taint ranges has been done in
@@ -4293,7 +4293,7 @@ static ArrayObject* CharSplitHelper(JSContext* cx, Handle<JSLinearString*> str,
 
   for (size_t i = 0; i < resultlen; ++i) {
     // TaintFox: code modified to avoid atoms.
-    JSString* sub = NewDependentString(cx, str, i, 1);
+    JS::Rooted<JSString*> sub(cx, NewDependentString(cx, str, i, 1));
     // was:
     // JSString* sub = staticStrings.getUnitStringForElement(cx, str, i);
     if (!sub) {
diff --git a/js/src/jit/VMFunctions.cpp b/js/src/jit/VMFunctions.cpp
@@ -1357,7 +1357,7 @@ JSString* StringReplace(JSContext* cx, HandleString string,
   MOZ_ASSERT(pattern);
   MOZ_ASSERT(repl);
   // Foxhound: this will propagate the taint but not add the operation
-  JSString* str = str_replace_string_raw(cx, string, pattern, repl);
+  Rooted<JSString*> str(cx, str_replace_string_raw(cx, string, pattern, repl));
   if (str && str->taint().hasTaint()) {
     str->taint().extend(TaintOperationFromContext(cx, "replace", true, pattern, repl));
   }
diff --git a/js/src/jsapi.cpp b/js/src/jsapi.cpp
@@ -5014,7 +5014,7 @@ JS_ReportTaintSink(JSContext* cx, JS::HandleString str, const char* sink, JS::Ha
   // slot of the current global object.
   RootedFunction report(cx);
 
-  JSObject* global = cx->global();
+  JS::Rooted<JSObject*> global(cx, cx->global());
 
   RootedValue slot(cx, JS::GetReservedSlot(global, TAINT_REPORT_FUNCTION_SLOT));
   if (slot.isUndefined()) {
diff --git a/js/src/jstaint.cpp b/js/src/jstaint.cpp
@@ -504,7 +504,7 @@ void JS::PrintJsonTaint(JSContext* cx, JSString* str, HandleValue location, js::
 
   // Dump additional information from the taintreport
   if (location.isObject()) {
-    JSObject* obj = ToObject(cx, location);
+    JS::Rooted<JSObject*> obj(cx, ToObject(cx, location));
     PrintJsonObject(cx, obj, json);
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1376,7 +1376,7 @@ bool js::array_join(JSContext* cx, unsigned argc, Value* vp) {`
`1376`	`1376`	`}`
`1377`	`1377`
`1378`	`1378`	`// Step 8.`
`1379`		`- JSString* str = sb.finishString();`
	`1379`	`+ JS::Rooted<JSString*> str(cx, sb.finishString());`
`1380`	`1380`	`if (!str) {`
`1381`	`1381`	`return false;`
`1382`	`1382`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2358,7 +2358,7 @@ bool json_stringify(JSContext* cx, unsigned argc, Value* vp) {`
`2358`	`2358`	`// needs to support returning undefined. So this is a little awkward`
`2359`	`2359`	`// for the API, because we want to support streaming writers.`
`2360`	`2360`	`if (!sb.empty()) {`
`2361`		`- JSString* str = sb.finishString();`
	`2361`	`+ JS::Rooted<JSString*> str(cx, sb.finishString());`
`2362`	`2362`	`if (!str) {`
`2363`	`2363`	`return false;`
`2364`	`2364`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1357,7 +1357,7 @@ JSString* StringReplace(JSContext* cx, HandleString string,`
`1357`	`1357`	`MOZ_ASSERT(pattern);`
`1358`	`1358`	`MOZ_ASSERT(repl);`
`1359`	`1359`	`// Foxhound: this will propagate the taint but not add the operation`
`1360`		`- JSString* str = str_replace_string_raw(cx, string, pattern, repl);`
	`1360`	`+ Rooted<JSString*> str(cx, str_replace_string_raw(cx, string, pattern, repl));`
`1361`	`1361`	`if (str && str->taint().hasTaint()) {`
`1362`	`1362`	`str->taint().extend(TaintOperationFromContext(cx, "replace", true, pattern, repl));`
`1363`	`1363`	`}`
Original file line number	Diff line number	Diff line change
`@@ -504,7 +504,7 @@ void JS::PrintJsonTaint(JSContext* cx, JSString* str, HandleValue location, js::`
`504`	`504`
`505`	`505`	`// Dump additional information from the taintreport`
`506`	`506`	`if (location.isObject()) {`
`507`		`- JSObject* obj = ToObject(cx, location);`
	`507`	`+ JS::Rooted<JSObject*> obj(cx, ToObject(cx, location));`
`508`	`508`	`PrintJsonObject(cx, obj, json);`
`509`	`509`	`}`
`510`	`510`