Bug 1200345: Add comment to js/public/UbiNode.h warning about operating on graphs constructed by hostile code. DONTBUILD r=fitzgen
authorJim Blandy <jimb@mozilla.com>
Mon, 31 Aug 2015 11:34:57 -0700
changeset 260246 8985a835958cdf90353d964df0bd9b94867fd406
parent 260245 0cbe50c5dcc5c75e2fa7efc07b0fd86f8888d6a8
child 260247 0c3b14c7ffd96ed24505059b10222694406bea85
push id29304
push usercbook@mozilla.com
push dateTue, 01 Sep 2015 12:32:25 +0000
treeherdermozilla-central@dd509db16a13 [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersfitzgen
bugs1200345
milestone43.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1200345: Add comment to js/public/UbiNode.h warning about operating on graphs constructed by hostile code. DONTBUILD r=fitzgen
js/public/UbiNode.h
--- a/js/public/UbiNode.h
+++ b/js/public/UbiNode.h
@@ -92,17 +92,16 @@
 // ECMAScript specification describes objects as maps from property names to
 // sets of attributes (like ECMAScript's [[Value]]), in practice many objects
 // have only a pointer to a shape, shared with other similar objects, and
 // indexed slots that contain the [[Value]] attributes. As another example, a
 // string produced by concatenating two other strings may sometimes be
 // represented by a "rope", a structure that points to the two original
 // strings.
 //
-//
 // We intend to use ubi::Node to write tools that report memory usage, so it's
 // important that ubi::Node accurately portray how much memory nodes consume.
 // Thus, for example, when data that apparently belongs to multiple nodes is
 // in fact shared in a common structure, ubi::Node's graph uses a separate
 // node for that shared structure, and presents edges to it from the data's
 // apparent owners. For example, ubi::Node exposes SpiderMonkey objects'
 // shapes and base shapes, and exposes rope string and substring structure,
 // because these optimizations become visible when a tool reports how much
@@ -137,16 +136,35 @@
 // save their intermediate state in some rooted structure if they must GC before
 // they complete. (For algorithms like path-finding and dominator tree
 // computation, we implement the algorithm avoiding any operation that could
 // cause a GC --- and use AutoCheckCannotGC to verify this.)
 //
 // If this restriction prevents us from implementing interesting tools, we may
 // teach the GC how to root ubi::Nodes, fix up hash tables that use them as
 // keys, etc.
+//
+//
+// Hostile Graph Structure
+//
+// Analyses consuming ubi::Node graphs must be robust when presented with graphs
+// that are deliberately constructed to exploit their weaknesses. When operating
+// on live graphs, web content has control over the object graph, and less
+// direct control over shape and string structure, and analyses should be
+// prepared to handle extreme cases gracefully. For example, if an analysis were
+// to use the C++ stack in a depth-first traversal, carefully constructed
+// content could cause the analysis to overflow the stack.
+//
+// When ubi::Nodes refer to nodes deserialized from a heap snapshot, analyses
+// must be even more careful: since snapshots often come from potentially
+// compromised e10s content processes, even properties normally guaranteed by
+// the platform (the proper linking of DOM nodes, for example) might be
+// corrupted. While it is the deserializer's responsibility to check the basic
+// structure of the snapshot file, the analyses should be prepared for ubi::Node
+// graphs constructed from snapshots to be even more bizarre.
 
 class JSAtom;
 
 namespace JS {
 namespace ubi {
 
 class Edge;
 class EdgeRange;