A web browser with dynamic data-flow tracking enabled in the Javascript engine and DOM, based on Mozilla Firefox (https://github.com/mozilla/gecko-dev). It can be used to identify insecure data flows or data privacy leaks in client-side web applications.
The fix to clean up all the StringTaint from Nursery strings wasn't quite thorough enough and left some dangling pointers lying around. This fix makes sure we catch all the Nursery allocated Strings by moving String registration to Allocator-inl.h
This fix revealed the root cause of the segmentation faults which were occuring on client-heavy webapps (UI5 I'm looking at you). There were a couple of occasions where strings were being created (but not rooted) and then additional strings constructed for TaintOperation arguments (e.g. JSONParser.cpp and RegExp.cpp). As the TaintOperations were trying to allocate memory, this could cause a GC which would clean up the original strings.
This fix makes sure that the TaintOperations are created before the new Strings or that they are properly rooted.
The fix to clean up all the StringTaint from Nursery strings wasn't quite thorough enough and left some dangling pointers lying around. This fix makes sure we catch all the Nursery allocated Strings by moving String registration to Allocator-inl.h
This fix revealed the root cause of the segmentation faults which were occuring on client-heavy webapps (UI5 I'm looking at you). There were a couple of occasions where strings were being created (but not rooted) and then additional strings constructed for TaintOperation arguments (e.g. JSONParser.cpp and RegExp.cpp). As the TaintOperations were trying to allocate memory, this could cause a GC which would clean up the original strings.
This fix makes sure that the TaintOperations are created before the new Strings or that they are properly rooted.