guix/gnu/packages/patches/icecat-CVE-2015-0836-pt-04.patch

90 lines
3.1 KiB
Diff
Raw Normal View History

From 97ba04bf95606b409b1b3035504a41c274ecffe2 Mon Sep 17 00:00:00 2001
From: Shu-yu Guo <shu@rfrn.org>
Date: Mon, 26 Jan 2015 18:26:25 -0800
Subject: [PATCH] Bug 1119579 - Don't GC while iterating compartments in
findAllGlobals. r=sfink, a=abillings
---
js/src/vm/Debugger.cpp | 56 ++++++++++++++++++++++++++++++--------------------
1 file changed, 34 insertions(+), 22 deletions(-)
diff --git a/js/src/vm/Debugger.cpp b/js/src/vm/Debugger.cpp
index 27e993d..a8decef 100644
--- a/js/src/vm/Debugger.cpp
+++ b/js/src/vm/Debugger.cpp
@@ -2825,37 +2825,49 @@ Debugger::findAllGlobals(JSContext *cx, unsigned argc, Value *vp)
{
THIS_DEBUGGER(cx, argc, vp, "findAllGlobals", args, dbg);
- RootedObject result(cx, NewDenseEmptyArray(cx));
- if (!result)
- return false;
+ AutoObjectVector globals(cx);
- for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
- if (c->options().invisibleToDebugger())
- continue;
+ {
+ // Accumulate the list of globals before wrapping them, because
+ // wrapping can GC and collect compartments from under us, while
+ // iterating.
- c->zone()->scheduledForDestruction = false;
+ for (CompartmentsIter c(cx->runtime(), SkipAtoms); !c.done(); c.next()) {
+ if (c->options().invisibleToDebugger())
+ continue;
- GlobalObject *global = c->maybeGlobal();
+ c->zone()->scheduledForDestruction = false;
- if (cx->runtime()->isSelfHostingGlobal(global))
- continue;
+ GlobalObject *global = c->maybeGlobal();
- if (global) {
- /*
- * We pulled |global| out of nowhere, so it's possible that it was
- * marked gray by XPConnect. Since we're now exposing it to JS code,
- * we need to mark it black.
- */
- JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
+ if (cx->runtime()->isSelfHostingGlobal(global))
+ continue;
- RootedValue globalValue(cx, ObjectValue(*global));
- if (!dbg->wrapDebuggeeValue(cx, &globalValue))
- return false;
- if (!NewbornArrayPush(cx, result, globalValue))
- return false;
+ if (global) {
+ /*
+ * We pulled |global| out of nowhere, so it's possible that it was
+ * marked gray by XPConnect. Since we're now exposing it to JS code,
+ * we need to mark it black.
+ */
+ JS::ExposeGCThingToActiveJS(global, JSTRACE_OBJECT);
+ if (!globals.append(global))
+ return false;
+ }
}
}
+ RootedObject result(cx, NewDenseEmptyArray(cx));
+ if (!result)
+ return false;
+
+ for (size_t i = 0; i < globals.length(); i++) {
+ RootedValue globalValue(cx, ObjectValue(*globals[i]));
+ if (!dbg->wrapDebuggeeValue(cx, &globalValue))
+ return false;
+ if (!NewbornArrayPush(cx, result, globalValue))
+ return false;
+ }
+
args.rval().setObject(*result);
return true;
}
--
2.2.1