Analysis: - this is about wasm builtin calls only (other calls are ok) - this is about ion only (baseline is ok) - this is specific to builtin calls that can return an error *and* can trigger gc, probably only ref.func - a pointer on the stack is not traced because the stackmap is not found by the gc because its location marker is off, if the correct phase of gc is triggered by the allocation in question - an attacker could perhaps place many pointers on the stack in an attempt to get some that points to something interesting, but this will be hard to count on and will easily crash - fission helps us (attack does not escape to other domains) but also hurts us (gc behavior may be less turbulent than it would be in the single-process browser) - the issue is serious, we do uplifts all the way
Bug 1739683 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Analysis: - this is about wasm builtin calls only (other calls are ok) - this is about ion only (baseline is ok) - this is specific to builtin calls that can return an error *and* can trigger gc, probably only ref.func - a pointer on the stack is not traced because the stackmap is not found by the gc because its location marker is off, if the correct phase of gc is triggered by the allocation in question - an attacker could perhaps place many pointers on the stack in an attempt to get one that points to something interesting, but this will be hard to count on and will easily crash - fission helps us (attack does not escape to other domains) but also hurts us (gc behavior may be less turbulent than it would be in the single-process browser) - the issue is serious, we do uplifts all the way