Bug#579227: Embedded code copy: libmozjs

2010-04-30 Thread Johan Euphrosine 
On Mon, Apr 26, 2010 at 01:34:21PM +0200, Cyril Brulebois wrote:
 it was just noticed that the FTBFS on s390 I reported sounded like an
 FTBFS previously dealt with in libmozjs, meaning you're embedding it
 instead of just using libmozjs-dev and dropping your embedded code copy.
 Given the security records on xulrunner thingies, I'm opening this at
 serious severity with security tag…

Upstream is aware of this problem and is waiting for SpiderMonkey
developer to provide a public API for the parser before removing the
need for the embedded copy of SpiderMonkey.

See the following blog comment by jscoverage author:
http://blog.mozilla.com/dherman/2010/04/22/language-engineering-on-the-web/comment-page-1/#comment-3

There seems to be outgoing work for this in SpiderMonkey:
https://bugzilla.mozilla.org/show_bug.cgi?id=533874

I posted to mozilla.dev.tech.js-engine (as advised by irc.mozilla.org
#jsapi folks), to ask for the current status of this work.
-- 
Johan Euphrosine (proppy) pro...@aminche.com
Development and services around Free Software
http://www.aminche.com/


signature.asc
Description: Digital signature

Bug#579227: Embedded code copy: libmozjs

2010-04-29 Thread Johan Euphrosine 
On Mon, Apr 26, 2010 at 01:34:21PM +0200, Cyril Brulebois wrote:
 Source: jscoverage
 Version: 0.4-1
 Severity: serious
 Tags: security
 Justification: ECC
 
 Hi (again),
 
 it was just noticed that the FTBFS on s390 I reported sounded like an
 FTBFS previously dealt with in libmozjs, meaning you're embedding it
 instead of just using libmozjs-dev and dropping your embedded code copy.
 Given the security records on xulrunner thingies, I'm opening this at
 serious severity with security tag…
 

Hi,

I patched their build system and their source to use latest version of
libmozjs:

diff -u jscoverage-0.5//highlight.cpp 1/jscoverage-0.5//highlight.cpp
--- jscoverage-0.5//highlight.cpp   2010-04-29 14:07:57.120047173 +
+++ 1/jscoverage-0.5//highlight.cpp 2010-04-24 12:00:00.0 +
@@ -225,8 +225,8 @@
   current_class = CLASS_NONE;
 
   /* tokenize the JavaScript */
-  JSTokenStream token_stream;
-  if (! js_InitTokenStream(context, token_stream, characters, num_characters, 
NULL, NULL, 1)) {
+  JSTokenStream token_stream(context);
+  if (! token_stream.init(context, characters, num_characters, NULL, NULL, 1)) 
{
 fatal(cannot create token stream from JavaScript file %s, id);
   }
 
@@ -480,5 +480,5 @@
 output_character('\n', CLASS_NONE);
   }
 
-  js_CloseTokenStream(context, token_stream);
+  token_stream.close(context);
 }
Only in jscoverage-0.5/: .#instrument-js.cpp
Only in jscoverage-0.5/: #instrument-js.cpp#
diff -u jscoverage-0.5//instrument-js.cpp 1/jscoverage-0.5//instrument-js.cpp
--- jscoverage-0.5//instrument-js.cpp   2010-04-29 14:14:07.890078976 +
+++ 1/jscoverage-0.5//instrument-js.cpp 2010-04-24 12:00:00.0 +
@@ -35,7 +35,7 @@
 #include jsarena.h
 #include jsatom.h
 #include jsemit.h
-// #include jsexn.h
+#include jsexn.h
 #include jsfun.h
 #include jsinterp.h
 #include jsiter.h
@@ -143,7 +143,7 @@
 static void print_string(JSString * s, Stream * f) {
   size_t length;
   const jschar * characters;
-  JSSTRING_CHARS_AND_LENGTH(s, characters, length);
+  s-getCharsAndLength(characters, length);
   for (size_t i = 0; i  length; i++) {
 jschar c = characters[i];
 if (32 = c  c = 126) {
@@ -206,7 +206,7 @@
   JSString * s = JSVAL_TO_STRING(value);
   size_t length;
   const jschar * characters;
-  JSSTRING_CHARS_AND_LENGTH(s, characters, length);
+  s-getCharsAndLength(characters, length);
   for (size_t i = 0; i  length; i++) {
 jschar c = characters[i];
 if (32 = c  c = 126) {
@@ -416,7 +416,7 @@
   for (JSParseNode * p = comma-pn_head; p != NULL; p = p-pn_next) {
 assert(p-pn_type == TOK_ASSIGN);
 JSParseNode * rhs = p-pn_right;
-assert(JSSTRING_LENGTH(ATOM_TO_STRING(rhs-pn_atom)) == 0);
+assert(ATOM_TO_STRING(rhs-pn_atom)-length() == 0);
 if (UPVAR_FRAME_SLOT(rhs-pn_cookie) == i) {
   expression = p-pn_left;
   break;
@@ -777,7 +777,7 @@
 
   size_t length;
   const jschar * characters;
-  JSSTRING_CHARS_AND_LENGTH(s, characters, length);
+  s-getCharsAndLength(characters, length);
 
   if (length == 0) {
 must_quote = true;
@@ -1433,7 +1433,7 @@
   JSErrorReporter old_error_reporter = JS_SetErrorReporter(context, 
error_reporter);
   JSParseNode * node = compiler.parse(global);
   if (node == NULL) {
-//js_ReportUncaughtException(context);
+js_ReportUncaughtException(context);
 fatal(parse error in file %s, file_id);
   }
   JS_SetErrorReporter(context, old_error_reporter);
diff -u jscoverage-0.5//Makefile.in 1/jscoverage-0.5//Makefile.in
--- jscoverage-0.5//Makefile.in 2010-04-29 14:17:11.410078501 +
+++ 1/jscoverage-0.5//Makefile.in   2010-04-24 12:00:00.0 +
@@ -292,8 +292,9 @@
 top_builddir = @top_builddir@
 top_srcdir = @top_srcdir@
 ACLOCAL_AMFLAGS = -I m4
-AM_CFLAGS = `pkg-config mozilla-js --cflags` @XP_DEF@
-AM_CXXFLAGS = `pkg-config mozilla-js --cflags` -funit-at-a-time @XP_DEF@
+SUBDIRS = js
+AM_CFLAGS = -Ijs -Ijs/obj @XP_DEF@
+AM_CXXFLAGS = -Ijs -Ijs/obj -funit-at-a-time @XP_DEF@
 resources = jscoverage-help.txt jscoverage-server-help.txt \
 jscoverage.jsm jscoverage.manifest jscoverage.xul 
jscoverage-overlay.js \
 jscoverage.html \
@@ -311,7 +312,7 @@
  util.c util.h \
  $(resources)
 
-jscoverage_LDADD = `pkg-config mozilla-js --libs` -lm @LIBICONV@ 
@EXTRA_TIMER_LIBS@
+jscoverage_LDADD = @SPIDERMONKEY_LIBS@ -lm @LIBICONV@ @EXTRA_TIMER_LIBS@
 jscoverage_server_SOURCES = http-connection.c \
 http-exchange.c \
 http-host.c \
@@ -327,7 +328,7 @@
 util.c util.h \
 $(resources)
 
-jscoverage_server_LDADD = `pkg-config mozilla-js --libs` -lm 
@EXTRA_SOCKET_LIBS@ @EXTRA_THREAD_LIBS@ @LIBICONV@ @EXTRA_TIMER_LIBS@
+jscoverage_server_LDADD = @SPIDERMONKEY_LIBS@ -lm @EXTRA_SOCKET_LIBS@ 
@EXTRA_THREAD_LIBS@ @LIBICONV@ @EXTRA_TIMER_LIBS@

Bug#579227: Embedded code copy: libmozjs

2010-04-29 Thread Johan Euphrosine 
On Mon, Apr 26, 2010 at 01:34:21PM +0200, Cyril Brulebois wrote:
 Source: jscoverage
 Version: 0.4-1
 Severity: serious
 Tags: security
 Justification: ECC
 
 Hi (again),
 
 it was just noticed that the FTBFS on s390 I reported sounded like an
 FTBFS previously dealt with in libmozjs, meaning you're embedding it
 instead of just using libmozjs-dev and dropping your embedded code copy.
 Given the security records on xulrunner thingies, I'm opening this at
 serious severity with security tag…
 

It seems fedora spotted the same issue when reviewing jscoverage
package:

https://bugzilla.redhat.com/show_bug.cgi?id=453264

One of the comment states the following:

The Mozilla SpiderMonkey js library is intended to be used as a 
JavaScript interpreter, but JSCoverage uses it for parsing, rather than 
interpreting, JavaScript.  Unfortunately the parsing functions are not 
public and could possibly change any time the library is upgraded.


I think the above qualifies as a good reason to allow static linking.


I was wondering it debian would allow static linking in that case ?
-- 
Johan Euphrosine (proppy) pro...@aminche.com
Development and services around Free Software
http://www.aminche.com/


signature.asc
Description: Digital signature

Bug#579227: Embedded code copy: libmozjs

2010-04-26 Thread Cyril Brulebois 
Source: jscoverage
Version: 0.4-1
Severity: serious
Tags: security
Justification: ECC

Hi (again),

it was just noticed that the FTBFS on s390 I reported sounded like an
FTBFS previously dealt with in libmozjs, meaning you're embedding it
instead of just using libmozjs-dev and dropping your embedded code copy.
Given the security records on xulrunner thingies, I'm opening this at
serious severity with security tag…

Mraw,
KiBi.



-- 
To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org