Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tab Crashing Fixes #203

Merged
merged 3 commits into from
Feb 23, 2024
Merged

Tab Crashing Fixes #203

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
a500e7d
Foxhound: Fixing GC crashes due to JSONParser strings
tmbrbr Feb 23, 2024
ba6e38b
Foxhound: Enable String dump with DEBUG_TAINT
tmbrbr Feb 23, 2024
991a5c5
Foxhound: Fixing memory leak due to untidy StringTaints
tmbrbr Feb 23, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion dom/base/Element.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -5055,7 +5055,7 @@ void Element::TaintSelectorOperation(const char* operation, const nsAString& aEl
// Here we want to save a list of all selector operations performed on the element

// Check if there is a direct flow
const StringTaint aTaint = aElementId.Taint();
const StringTaint& aTaint = aElementId.Taint();
TaintFlow flow;
if (aTaint.hasTaint()) {
// Take the first range
Expand Down
12 changes: 7 additions & 5 deletions js/src/vm/JSONParser.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -690,7 +690,7 @@ JSString* JSONFullParseHandlerAnyChar::CurrentJsonPath(const Vector<StackEntry,
}
}
}
return builder.finishString();
return builder.finishString(gc::Heap::Tenured);
}

inline void JSONFullParseHandlerAnyChar::setNumberValue(double d) {
Expand All @@ -717,8 +717,9 @@ inline bool JSONFullParseHandler<CharT>::setStringValue(CharPtr start,
// TaintFox: propagate taint.
if (ST != JSONStringType::PropertyName && taint.hasTaint()) {
str->setTaint(cx, taint);
TaintOperation op = parser ?
TaintOperationFromContextJSString(cx, "JSON.parse", true, parser->CurrentJsonPath()) :
JSString* jsonPath = parser ? parser->CurrentJsonPath() : nullptr;
TaintOperation op = jsonPath ?
TaintOperationFromContextJSString(cx, "JSON.parse", true, jsonPath) :
TaintOperationFromContext(cx, "JSON.parse", true);
str->taint().extend(op);
}
Expand All @@ -744,8 +745,9 @@ inline bool JSONFullParseHandler<CharT>::setStringValue(

// TaintFox: Add taint operation.
if (str->taint().hasTaint()) {
TaintOperation op = parser ?
TaintOperationFromContextJSString(cx, "JSON.parse", true, parser->CurrentJsonPath()) :
JSString* jsonPath = parser ? parser->CurrentJsonPath() : nullptr;
TaintOperation op = jsonPath ?
TaintOperationFromContextJSString(cx, "JSON.parse", true, jsonPath) :
TaintOperationFromContext(cx, "JSON.parse", true);
str->taint().extend(op);
}
Expand Down
10 changes: 5 additions & 5 deletions js/src/vm/StringType.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -254,7 +254,7 @@ mozilla::Maybe<std::tuple<size_t, size_t> > JSString::encodeUTF8Partial(
return mozilla::Some(std::make_tuple(totalRead, totalWritten));
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)

template <typename CharT>
/*static */
Expand Down Expand Up @@ -556,7 +556,7 @@ bool JSRope::hash(uint32_t* outHash) const {
return true;
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void JSRope::dumpRepresentation(js::GenericPrinter& out, int indent) const {
dumpRepresentationHeader(out, "JSRope");
indent += 2;
Expand Down Expand Up @@ -1067,7 +1067,7 @@ static inline void FillFromCompatible(unsigned char* dest, const char16_t* src,
AsWritableChars(Span(dest, length)));
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void JSDependentString::dumpRepresentation(js::GenericPrinter& out,
int indent) const {
dumpRepresentationHeader(out, "JSDependentString");
Expand Down Expand Up @@ -1512,7 +1512,7 @@ bool JS::SourceText<char16_t>::initMaybeBorrowed(
return initImpl(fc, chars, length, taint, ownership);
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void JSAtom::dump(js::GenericPrinter& out) {
out.printf("JSAtom* (%p) = ", (void*)this);
this->JSString::dump(out);
Expand Down Expand Up @@ -1972,7 +1972,7 @@ JSString* NewMaybeExternalString(JSContext* cx, const char16_t* s, size_t n,

} /* namespace js */

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void JSExtensibleString::dumpRepresentation(js::GenericPrinter& out,
int indent) const {
dumpRepresentationHeader(out, "JSExtensibleString");
Expand Down
16 changes: 8 additions & 8 deletions js/src/vm/StringType.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -726,7 +726,7 @@ class JSString : public js::gc::CellWithLengthAndFlags {
return kind;
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dump(); // Debugger-friendly stderr dump.
void dump(js::GenericPrinter& out);
void dumpNoNewline(js::GenericPrinter& out);
Expand Down Expand Up @@ -834,7 +834,7 @@ class JSRope : public JSString {

void traceChildren(JSTracer* trc);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dumpRepresentation(js::GenericPrinter& out, int indent) const;
#endif

Expand Down Expand Up @@ -1011,7 +1011,7 @@ class JSLinearString : public JSString {
inline void finalize(JS::GCContext* gcx);
inline size_t allocSize() const;

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dumpRepresentationChars(js::GenericPrinter& out, int indent) const;
void dumpRepresentation(js::GenericPrinter& out, int indent) const;
#endif
Expand Down Expand Up @@ -1063,7 +1063,7 @@ class JSDependentString : public JSLinearString {
setNonInlineChars(chars + offset);
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dumpRepresentation(js::GenericPrinter& out, int indent) const;
#endif

Expand Down Expand Up @@ -1092,7 +1092,7 @@ class JSExtensibleString : public JSLinearString {
return d.s.u3.capacity;
}

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dumpRepresentation(js::GenericPrinter& out, int indent) const;
#endif
};
Expand All @@ -1119,7 +1119,7 @@ class JSInlineString : public JSLinearString {
template <typename CharT>
static bool lengthFits(size_t length);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dumpRepresentation(js::GenericPrinter& out, int indent) const;
#endif

Expand Down Expand Up @@ -1252,7 +1252,7 @@ class JSExternalString : public JSLinearString {
// kind.
inline void finalize(JS::GCContext* gcx);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dumpRepresentation(js::GenericPrinter& out, int indent) const;
#endif
};
Expand Down Expand Up @@ -1316,7 +1316,7 @@ class JSAtom : public JSLinearString {
inline js::HashNumber hash() const;
inline void initHash(js::HashNumber hash);

#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW)
#if defined(DEBUG) || defined(JS_JITSPEW) || defined(JS_CACHEIR_SPEW) || defined(TAINT_DEBUG)
void dump(js::GenericPrinter& out);
void dump();
#endif
Expand Down
4 changes: 2 additions & 2 deletions parser/html/nsHtml5StreamParser.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1642,7 +1642,7 @@ nsresult nsHtml5StreamParser::OnDataAvailable(nsIRequest* aRequest,
return mExecutor->MarkAsBroken(NS_ERROR_OUT_OF_MEMORY);
}
Buffer<uint8_t> data(std::move(*maybe));
StringTaint taint;
SafeStringTaint taint;
if (taintInputStream) {
rv = taintInputStream->TaintedRead(reinterpret_cast<char*>(data.Elements()),
data.Length(), &taint, &totalRead);
Expand Down Expand Up @@ -1684,7 +1684,7 @@ nsresult nsHtml5StreamParser::OnDataAvailable(nsIRequest* aRequest,
return NS_ERROR_OUT_OF_MEMORY;
}
Buffer<uint8_t> data(std::move(*maybe));
StringTaint taint;
SafeStringTaint taint;

if (taintInputStream) {
rv = taintInputStream->TaintedRead(reinterpret_cast<char*>(data.Elements()),
Expand Down
1 change: 1 addition & 0 deletions parser/html/nsHtml5TreeBuilder.cpp
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -146,6 +146,7 @@ void nsHtml5TreeBuilder::startTokenization(nsHtml5Tokenizer* self) {
charBufferLen = 0;
charBuffer = nullptr;
framesetOk = true;
charTaint.clear();
if (fragment) {
nsIContentHandle* elt;
if (contextNode) {
Expand Down
2 changes: 1 addition & 1 deletion parser/html/nsHtml5UTF16Buffer.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@ class nsHtml5Portability;
class nsHtml5UTF16Buffer {
private:
char16_t* buffer;
StringTaint taint;
SafeStringTaint taint;
int32_t start;
int32_t end;

Expand Down
Loading