mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-19 16:25:38 +00:00
Bug 1200345: Add comment to js/public/UbiNode.h warning about operating on graphs constructed by hostile code. DONTBUILD r=fitzgen
--HG-- extra : amend_source : 1b311d37f460547b8746e32305ac26994357c7ed extra : histedit_source : defb2915ef54db03ed5481f0afea3eaa0bbf361c
This commit is contained in:
parent
b734c1b1fb
commit
3220028411
@ -97,7 +97,6 @@
|
||||
// represented by a "rope", a structure that points to the two original
|
||||
// strings.
|
||||
//
|
||||
//
|
||||
// We intend to use ubi::Node to write tools that report memory usage, so it's
|
||||
// important that ubi::Node accurately portray how much memory nodes consume.
|
||||
// Thus, for example, when data that apparently belongs to multiple nodes is
|
||||
@ -142,6 +141,25 @@
|
||||
// If this restriction prevents us from implementing interesting tools, we may
|
||||
// teach the GC how to root ubi::Nodes, fix up hash tables that use them as
|
||||
// keys, etc.
|
||||
//
|
||||
//
|
||||
// Hostile Graph Structure
|
||||
//
|
||||
// Analyses consuming ubi::Node graphs must be robust when presented with graphs
|
||||
// that are deliberately constructed to exploit their weaknesses. When operating
|
||||
// on live graphs, web content has control over the object graph, and less
|
||||
// direct control over shape and string structure, and analyses should be
|
||||
// prepared to handle extreme cases gracefully. For example, if an analysis were
|
||||
// to use the C++ stack in a depth-first traversal, carefully constructed
|
||||
// content could cause the analysis to overflow the stack.
|
||||
//
|
||||
// When ubi::Nodes refer to nodes deserialized from a heap snapshot, analyses
|
||||
// must be even more careful: since snapshots often come from potentially
|
||||
// compromised e10s content processes, even properties normally guaranteed by
|
||||
// the platform (the proper linking of DOM nodes, for example) might be
|
||||
// corrupted. While it is the deserializer's responsibility to check the basic
|
||||
// structure of the snapshot file, the analyses should be prepared for ubi::Node
|
||||
// graphs constructed from snapshots to be even more bizarre.
|
||||
|
||||
class JSAtom;
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user