Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.
Sign upFix unsafe Heap constructor usage in DOM objects #16500
Conversation
highfive
commented
Apr 17, 2017
|
Heads up! This PR modifies the following files:
|
highfive
commented
Apr 17, 2017
|
|
|
cc @jdm |
|
This is making me think we need to design the API to deal with servo/rust-mozjs#343 properly rather than implement lots of point fixes! |
| origin: origin, | ||
| lastEventId: lastEventId, | ||
| }; | ||
| let ev = reflect_dom_object(ev, global, ExtendableMessageEventBinding::Wrap); | ||
| let root = reflect_dom_object(ev, global, ExtendableMessageEventBinding::Wrap); |
This comment has been minimized.
This comment has been minimized.
| @@ -75,27 +74,27 @@ impl Gamepad { | |||
| state: &WebVRGamepadState) -> Root<Gamepad> { | |||
| let buttons = GamepadButtonList::new_from_vr(&global, &state.buttons); | |||
| let pose = VRPose::new(&global, &state.pose); | |||
|
|
|||
| let root = reflect_dom_object(box Gamepad::new_inherited(state.gamepad_id, | |||
This comment has been minimized.
This comment has been minimized.
| let _ = Float64Array::create(cx, | ||
| CreateWith::Slice(&state.axes), | ||
| axes.handle_mut()); | ||
| let _ = Float64Array::create(cx, CreateWith::Slice(&state.axes), array.handle_mut()); |
This comment has been minimized.
This comment has been minimized.
asajeffrey
Apr 17, 2017
Member
Is there a way to have Float64Array::create allocate directly into root.axes rather than into a dummy variable? @jdm?
This comment has been minimized.
This comment has been minimized.
jdm
May 2, 2017
Member
There is Heap::handle_mut, which would avoid the need for a local stack root: http://doc.servo.org/js/jsapi/struct.Heap.html#method.handle_mut
| origin: origin, | ||
| lastEventId: lastEventId, | ||
| }; | ||
| reflect_dom_object(ev, global, MessageEventBinding::Wrap) | ||
| let root = reflect_dom_object(ev, global, MessageEventBinding::Wrap); |
This comment has been minimized.
This comment has been minimized.
| let cx = global.get_cx(); | ||
| rooted!(in (cx) let mut array = ptr::null_mut()); | ||
| unsafe { | ||
| let _ = Float32Array::create(cx, CreateWith::Slice(¶meters.offset), array.handle_mut()); |
This comment has been minimized.
This comment has been minimized.
| fn create_typed_array(cx: *mut JSContext, src: &[f32], dst: &Heap<*mut JSObject>) { | ||
| unsafe { | ||
| rooted!(in (cx) let mut array = ptr::null_mut()); | ||
| let _ = Float32Array::create(cx, CreateWith::Slice(src), array.handle_mut()); |
This comment has been minimized.
This comment has been minimized.
| unsafe { | ||
| let _ = Float32Array::create(cx, | ||
| CreateWith::Slice(¶meters.sitting_to_standing_transform), | ||
| array.handle_mut()); |
This comment has been minimized.
This comment has been minimized.
|
All I've got so far is removing the constructor that accepts an argument. I have not been able to figure out any meaningful API change that can prevent problems like this. |
|
Is there anything clever we can do with destination-passing style to avoid moving heap objects? I vaguely remember talking to @pnkfelix about this, in a different context. |
|
Hi, any news/ideas about fixing the Heap constructor API? @jdm we were waiting for this response to continue the PR review: |
|
Well, the remaining fixes aren't vital, we could land the PR without them. You can fix the build failure (the unit tests need updating) and then r=me. (@jdm speak up if you are unhappy about this!) |
|
The unit test problems are unrelated to this PR and are being fixed in #16655. |
|
@asajeffrey PR updated allocating directly into heap rather than into a dummy variable, using the heap.handle_mut() method that @jdm recommended |
|
OK, at this point @bors-servo r+ |
|
|
Fix unsafe Heap constructor usage in DOM objects <!-- Please describe your changes on the following line: --> See servo/rust-mozjs#343 (comment) Heap::new() constructor is unsafe. Heap should be set after reflect_dom_object call in order to prevent potential GC crashes. <!-- Thank you for contributing to Servo! Please replace each `[ ]` by `[X]` when the step is complete, and replace `__` with appropriate data: --> - [x] `./mach build -d` does not report any errors - [x] `./mach test-tidy` does not report any errors - [ ] These changes fix #__ (github issue number if applicable). <!-- Either: --> - [x] There are tests for these changes OR - [ ] These changes do not require tests because _____ <!-- Also, please make sure that "Allow edits from maintainers" checkbox is checked, so that we can help you if you get stuck somewhere along the way.--> <!-- Pull requests that do not address these steps are welcome, but they will require additional verification as part of the review process. --> <!-- Reviewable:start --> --- This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/servo/16500) <!-- Reviewable:end -->
|
|
MortimerGoro commentedApr 17, 2017
•
edited
See servo/rust-mozjs#343 (comment)
Heap::new() constructor is unsafe. Heap should be set after reflect_dom_object call in order to prevent potential GC crashes.
./mach build -ddoes not report any errors./mach test-tidydoes not report any errorsThis change is