Attachment #8956500: heap write analysis: whitelist GetAutoArrayBuffer, which returns a pointer into |this| for bug #1442804

View | Details | Raw Unified | Return to bug 1442804
Collapse All | Expand All

(-)a/js/src/devtools/rootAnalysis/analyzeHeapWrites.js (-1 / +12 lines)
Line     Link Here 
 Lines 1194-1209   function expressionValueEdge(exp) { Link Here 
1194 
        return null;
 1194 
        return null;
1195 
    const assign = singleAssignment(variableName(exp.Variable));
 1195 
    const assign = singleAssignment(variableName(exp.Variable));
1196 
    if (!assign)
 1196 
    if (!assign)
1197 
        return null;
 1197 
        return null;
1198 
    const [body, edge] = assign;
 1198 
    const [body, edge] = assign;
1199 
    return edge;
 1199 
    return edge;
1200 
}
 1200 
}
1201 

1201








1202

// Examples:





1203

//





1204

//   void foo(type* aSafe) {





1205

//     type* safeBecauseNew = new type(...);





1206

//     type* unsafeBecauseMultipleAssignments = new type(...);





1207

//     if (rand())





1208

//       unsafeBecauseMultipleAssignments = bar();





1209

//     type* safeBecauseSingleAssignmentOfSafe = aSafe;





1210

//   }





1211

//





1202

function isSafeVariable(entry, variable)

1212

function isSafeVariable(entry, variable)





1203

{

1213

{





1204

    var index = safeArgumentIndex(variable);

1214

    var index = safeArgumentIndex(variable);





1205

    if (index >= 0)

1215

    if (index >= 0)





1206

        return entry.isSafeArgument(index);

1216

        return entry.isSafeArgument(index);





1207


1217






1208

    if (variable.Kind != "Temp" && variable.Kind != "Local")

1218

    if (variable.Kind != "Temp" && variable.Kind != "Local")





1209

        return false;

1219

        return false;









 Lines 1240-1256
  function isSafeLocalVariable(entry, name

Link Here 






1240

            return true;

1250

            return true;





1241

        }

1251

        }





1242


1252






1243

        if ("PEdgeCallInstance" in edge) {

1253

        if ("PEdgeCallInstance" in edge) {





1244

            // References to the contents of an array are threadsafe if the array

1254

            // References to the contents of an array are threadsafe if the array





1245

            // itself is threadsafe.

1255

            // itself is threadsafe.





1246

            if ((isDirectCall(edge, /operator\[\]/) ||

1256

            if ((isDirectCall(edge, /operator\[\]/) ||





1247

                 isDirectCall(edge, /nsTArray.*?::InsertElementAt\b/) ||

1257

                 isDirectCall(edge, /nsTArray.*?::InsertElementAt\b/) ||





1248

                 isDirectCall(edge, /nsStyleContent::ContentAt/)) &&

1258

                 isDirectCall(edge, /nsStyleContent::ContentAt/) ||







1259

                 isDirectCall(edge, /nsTArray_base.*?::GetAutoArrayBuffer\b/)) &&





1249

                isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp))

1260

                isEdgeSafeArgument(entry, edge.PEdgeCallInstance.Exp))





1250

            {

1261

            {





1251

                return true;

1262

                return true;





1252

            }

1263

            }





1253


1264






1254

            // Watch for the coerced result of a getter_AddRefs or getter_Copies call.

1265

            // Watch for the coerced result of a getter_AddRefs or getter_Copies call.





1255

            if (isDirectCall(edge, /operator /)) {

1266

            if (isDirectCall(edge, /operator /)) {





1256

                var otherEdge = expressionValueEdge(edge.PEdgeCallInstance.Exp);

1267

                var otherEdge = expressionValueEdge(edge.PEdgeCallInstance.Exp);







Return to bug 1442804