SAP · leeN · Jun 10, 2025 · Jun 3, 2025 · Jun 3, 2025 · Jun 3, 2025
diff --git a/.github/workflows/clang-plugin.yml b/.github/workflows/clang-plugin.yml
@@ -0,0 +1,66 @@
+# Attempt to build the whole browser
+name: Build with clang-plugin
+
+# Controls when the workflow will run
+on:
+  # Triggers the workflow on push or pull request events but only for the main branch
+  push:
+    branches: [ main ]
+  pull_request:
+    branches: [ main ]
+
+  # Allows you to run this workflow manually from the Actions tab
+  workflow_dispatch:
+
+jobs:
+
+  # Test complete build on Ubuntu
+  ubuntu-build-clang-plugin:
+    runs-on: ubuntu-22.04
+
+    steps:
+      - name: Free Disk Space (Ubuntu)
+        uses: jlumbroso/free-disk-space@main
+        with:
+          tool-cache: true
+          android: true
+          dotnet: true
+          haskell: true
+          large-packages: true
+          docker-images: true
+          swap-storage: true
+
+      - name: Install Dependencies
+        run: |
+          df -h
+          sudo apt-get update
+          sudo apt-get install -y   \
+               curl                 \
+               python3              \
+               python3-pip          \
+               python3-venv         \
+               tar                  \
+               zip                  \
+               unzip                \
+               git
+          sudo apt-get install -y --no-install-recommends ffmpeg libasound2 libatk1.0-0 libcairo-gobject2 libcairo2 libdbus-1-3 libdbus-glib-1-2 libfontconfig1 libfreetype6 libgdk-pixbuf-2.0-0 libglib2.0-0 libgtk-3-0 libpango-1.0-0 libpangocairo-1.0-0 libx11-6 libx11-xcb1 libxcb-shm0 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxtst6 xvfb fonts-noto-color-emoji fonts-unifont xfonts-cyrillic xfonts-scalable fonts-liberation fonts-ipafont-gothic fonts-wqy-zenhei fonts-tlwg-loma-otf fonts-freefont-ttf
+          python3 -m pip install setuptools
+
+      - name: Checkout release branch
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 1
+
+      - name: Dry Run
+        run: |
+          cp taintfox_mozconfig_ubuntu_clang_plugin .mozconfig
+          bash build.sh -p -n
+
+      - name: Bootstrap
+        run: |
+          df -h
+          bash build.sh -u -v
+
+      - name: Build
+        run: |
+          bash build.sh -s -v
diff --git a/dom/base/nsINode.cpp b/dom/base/nsINode.cpp
@@ -990,7 +990,7 @@ void nsINode::Normalize() {
           "mutation events messed us up");
       if (!hasRemoveListeners || (target && target->NodeType() == TEXT_NODE)) {
         nsTextNode* t = static_cast<nsTextNode*>(target);
-        SafeStringTaint taint = text->Taint();
+        SafeStringTaint taint(text->Taint());
         if (text->Is2b()) {
           t->AppendTextForNormalize(text->Get2b(), text->GetLength(), taint, true,
                                     node);

diff --git a/dom/events/MessageEvent.cpp b/dom/events/MessageEvent.cpp
@@ -65,6 +65,7 @@ void MessageEvent::GetData(JSContext* aCx, JS::MutableHandle<JS::Value> aData,
 
   if (!JS_WrapValue(aCx, aData)) {
     aRv.Throw(NS_ERROR_FAILURE);
+    return;
   }
 
   // Foxhound: MessageEvent source

diff --git a/dom/html/HTMLScriptElement.cpp b/dom/html/HTMLScriptElement.cpp
@@ -165,6 +165,7 @@ void HTMLScriptElement::GetInnerHTML(nsAString& aInnerHTML,
                                      OOMReporter& aError) {
   if (!nsContentUtils::GetNodeTextContent(this, false, aInnerHTML, fallible)) {
     aError.ReportOOM();
+    return;
   }
   // Foxhound: script.innerHTML source
   MarkTaintSourceElement(aInnerHTML, "script.innerHTML", this);

diff --git a/dom/tainting/nsTaintingUtils.cpp b/dom/tainting/nsTaintingUtils.cpp
@@ -61,7 +61,7 @@ static TaintOperation GetTaintOperation(JSContext *cx, const char* name)
 static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const nsAString& arg)
 {
   if (cx && JS::CurrentGlobalOrNull(cx)) {
-    JS::RootedValue argval(cx);
+    JS::Rooted<JS::Value> argval(cx);
     if (mozilla::dom::ToJSValue(cx, arg, &argval)) {
       return JS_GetTaintOperationFullArgs(cx, name, argval);
     }
@@ -73,7 +73,7 @@ static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const n
 static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const nsTArray<nsString> &args)
 {
   if (cx && JS::CurrentGlobalOrNull(cx)) {
-    JS::RootedValue argval(cx);
+    JS::Rooted<JS::Value> argval(cx);
 
     if (mozilla::dom::ToJSValue(cx, args, &argval)) {
       return JS_GetTaintOperationFullArgs(cx, name, argval);
@@ -86,7 +86,7 @@ static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const n
 static TaintOperation GetTaintOperation(JSContext *cx, const char* name, const nsTArray<nsCString> &args)
 {
   if (cx && JS::CurrentGlobalOrNull(cx)) {
-    JS::RootedValue argval(cx);
+    JS::Rooted<JS::Value> argval(cx);
 
     if (mozilla::dom::ToJSValue(cx, args, &argval)) {
       return JS_GetTaintOperationFullArgs(cx, name, argval);
@@ -445,11 +445,11 @@ nsresult ReportTaintSink(JSContext *cx, const nsAString &str, const char* name,
     return NS_OK;
   }
 
-  JS::RootedValue argval(cx);
+  JS::Rooted<JS::Value> argval(cx);
   if (!mozilla::dom::ToJSValue(cx, arg, &argval))
     return NS_ERROR_FAILURE;
 
-  JS::RootedValue strval(cx);
+  JS::Rooted<JS::Value> strval(cx);
   if (!mozilla::dom::ToJSValue(cx, str, &strval))
     return NS_ERROR_FAILURE;
 
@@ -476,7 +476,7 @@ nsresult ReportTaintSink(JSContext *cx, const nsAString &str, const char* name)
     return NS_OK;
   }
 
-  JS::RootedValue strval(cx);
+  JS::Rooted<JS::Value> strval(cx);
   if (!mozilla::dom::ToJSValue(cx, str, &strval)) {
     return NS_ERROR_FAILURE;
   }
@@ -504,7 +504,7 @@ nsresult ReportTaintSink(JSContext *cx, const nsACString &str, const char* name)
     return NS_OK;
   }
 
-  JS::RootedValue strval(cx);
+  JS::Rooted<JS::Value> strval(cx);
   if (!mozilla::dom::ToJSValue(cx, str, &strval)) {
     return NS_ERROR_FAILURE;
   }

diff --git a/dom/url/URLSearchParams.cpp b/dom/url/URLSearchParams.cpp
@@ -157,7 +157,7 @@ void URLSearchParams::Serialize(nsACString& aValue) const {
 void URLSearchParams::Stringify(nsAString& aValue) const {
   nsAutoCString serialized;
   mParams->Serialize(serialized, true);
-  SafeStringTaint taint = serialized.Taint();
+  SafeStringTaint taint(serialized.Taint());
   CopyUTF8toUTF16(serialized, aValue);
   aValue.AssignTaint(taint);
 }

diff --git a/js/src/builtin/String.cpp b/js/src/builtin/String.cpp
@@ -677,7 +677,7 @@ static bool str_unescape(JSContext* cx, unsigned argc, Value* vp) {
   }
 
   // Save operation to avoid GC issues
-  SafeStringTaint taint = str->taint();
+  SafeStringTaint taint(str->taint());
   TaintOperation op = TaintOperationFromContext(cx, "unescape", true, str);
 
   // Steps 2, 4-5.
@@ -1216,7 +1216,7 @@ static JSString* ToLowerCase(JSContext* cx, JSLinearString* str) {
 
   InlineCharBuffer<CharT> newChars;
   // Foxhound: cache the taint up here to prevent GC issues
-  SafeStringTaint taint = str->taint();
+  SafeStringTaint taint(str->taint());
   if (taint.hasTaint()) {
     taint.extend(TaintOperationFromContextJSString(cx, "toLowerCase", true, str));
   }
@@ -1630,7 +1630,7 @@ static JSString* ToUpperCase(JSContext* cx, JSLinearString* str) {
   using TwoByteBuffer = InlineCharBuffer<char16_t>;
 
   mozilla::MaybeOneOf<Latin1Buffer, TwoByteBuffer> newChars;
-  SafeStringTaint taint = str->taint();
+  SafeStringTaint taint(str->taint());
   if (taint.hasTaint()) {
     taint.extend(TaintOperationFromContextJSString(cx, "toUpperCase", true, str));
   }
@@ -5100,7 +5100,7 @@ static MOZ_ALWAYS_INLINE bool Encode(JSContext* cx, Handle<JSLinearString*> str,
   }
 
   // Foxhound: Add encode operation to output taint.
-  SafeStringTaint taint = sb.empty() ? str->taint() : sb.taint();
+  SafeStringTaint taint(sb.empty() ? str->taint() : sb.taint());
   if(taint.hasTaint()) {
     if (unescapedSet == js_isUriReservedPlusPound) {
       taint.extend(TaintOperationFromContext(cx, "encodeURI", true, str));
@@ -5266,7 +5266,7 @@ static bool Decode(JSContext* cx, Handle<JSLinearString*> str,
   }
 
   // Foxhound: Add decode operation to output taint.
-  SafeStringTaint taint = sb.empty() ? str->taint() : sb.taint();
+  SafeStringTaint taint(sb.empty() ? str->taint() : sb.taint());
   if(taint.hasTaint()) {
     if(reservedSet == js_isUriReservedPlusPound) {
       taint.extend(TaintOperationFromContext(cx, "decodeURI", true, str));

diff --git a/js/src/shell/js.cpp b/js/src/shell/js.cpp
@@ -1673,7 +1673,7 @@ static bool AddIntlExtras(JSContext* cx, unsigned argc, Value* vp) {
 
 static bool
 PrintTaintedString(JSContext* cx, RootedValue *result) {
-    SafeStringTaint taint = result->toString()->taint();
+    SafeStringTaint taint(result->toString()->taint());
 
     RootedString str(cx);
     str = JS_ValueToSource(cx, *result);

diff --git a/js/src/vm/Compartment.cpp b/js/src/vm/Compartment.cpp
@@ -107,7 +107,7 @@ JSString* js::CopyStringPure(JSContext* cx, JSString* str) {
 
   size_t len = str->length();
   // Foxhound: Copy taint up here to avoid GC problems later
-  SafeStringTaint taint = str->Taint();
+  SafeStringTaint taint(str->Taint());
   JSString* copy;
   if (str->isLinear()) {
     // If the string has a refcounted StringBuffer, we can share it.

diff --git a/js/src/vm/SelfHosting.cpp b/js/src/vm/SelfHosting.cpp
@@ -1781,10 +1781,12 @@ taint_addTaintOperation(JSContext* cx, unsigned argc, Value* vp)
             if (!argStr) {
                 taint_args.push_back(taintarg(cx, u""));
             } else {
-                taint_args.push_back(taintarg(cx, RootedString(cx, argStr)));
+                RootedString rs(cx, argStr);
+                taint_args.push_back(taintarg(cx, rs));
             }
         } else {
-            taint_args.push_back(taintarg(cx, RootedString(cx, argStr)));
+            RootedString rs(cx, argStr);
+            taint_args.push_back(taintarg(cx, rs));
         }
     }
 
@@ -1829,10 +1831,12 @@ taint_addTaintOperation_native_full(JSContext* cx, unsigned argc, Value* vp)
             if (!argStr) {
                 taint_args.push_back(taintarg(cx, u""));
             } else {
-                taint_args.push_back(taintarg_full(cx, RootedString(cx, argStr)));
+                RootedString rs(cx, argStr);
+                taint_args.push_back(taintarg_full(cx, rs));
             }
         } else {
-            taint_args.push_back(taintarg_full(cx, RootedString(cx, argStr)));
+            RootedString rs(cx, argStr);
+            taint_args.push_back(taintarg_full(cx, rs));
         }
     }
 
@@ -1877,10 +1881,12 @@ taint_addTaintOperation_native(JSContext* cx, unsigned argc, Value* vp)
             if (!argStr) {
                 taint_args.push_back(taintarg(cx, u""));
             } else {
-                taint_args.push_back(taintarg(cx, RootedString(cx, argStr)));
+                RootedString rs(cx, argStr);
+                taint_args.push_back(taintarg(cx, rs));
             }
         } else {
-            taint_args.push_back(taintarg(cx, RootedString(cx, argStr)));
+            RootedString rs(cx, argStr);
+            taint_args.push_back(taintarg(cx, rs));
         }
     }
-Original file line number
+Diff line change
@@ Expand Up @@
       if (!JS_WrapValue(aCx, aData)) {
         aRv.Throw(NS_ERROR_FAILURE);
+        return;
       }
       // Foxhound: MessageEvent source
@@ Expand Down @@