Bug 1895951 Comment 7 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Jari Jalkanen [:jari]

on 2024-05-13 09:06:34 PDT

This is a speculative fix. As Jan said, from the logs it looks like the garbage collector plucks the array object before we copy its data.

However, I was unable to reproduce this with grizzly, or as a crashtest, even in the test-verify mode.

Attempts to run the garbage collector manually with `TestUtils::Gc` and with the (JS::NonIncrementalGC method)[https://searchfox.org/mozilla-central/rev/ee2ad260c25310a9fbf96031de05bbc0e94394cc/dom/base/fuzztest/FuzzStructuredClone.cpp#44] also didn't produce any findings, neither with the attached test case nor `idb-binary-key*.htm` web platform tests which cover this code.

Revision 1 by

Jari Jalkanen [:jari]

on 2024-05-13 09:16:31 PDT

This is a speculative fix. As Jan said, from the logs it looks like the garbage collector plucks the array object while we are working with it.

However, I was unable to reproduce this with grizzly, or as a crashtest, even in the test-verify mode.

Attempts to run the garbage collector manually with `TestUtils::Gc` and with the (JS::NonIncrementalGC method)[https://searchfox.org/mozilla-central/rev/ee2ad260c25310a9fbf96031de05bbc0e94394cc/dom/base/fuzztest/FuzzStructuredClone.cpp#44] also didn't produce any findings, neither with the attached test case nor `idb-binary-key*.htm` web platform tests which cover this code.

Revision 2 by

Jari Jalkanen [:jari]

on 2024-05-13 09:18:12 PDT

This is a speculative fix. As Jan said, from the logs it looks like the garbage collector plucks the array object while we are working with it.

However, I was unable to reproduce the issue with grizzly, or as a crashtest, even in the test-verify mode.

Attempts to run the garbage collector manually with `TestUtils::Gc` and with the (JS::NonIncrementalGC method)[https://searchfox.org/mozilla-central/rev/ee2ad260c25310a9fbf96031de05bbc0e94394cc/dom/base/fuzztest/FuzzStructuredClone.cpp#44] also didn't produce any findings, neither with the attached test case nor with the `idb-binary-key*.htm` web platform tests which cover this code.

Revision 3 by

Jari Jalkanen [:jari]

on 2024-05-13 09:55:04 PDT

This is a speculative fix. As Jan said, from the logs it looks like the garbage collector plucks the array object while we are working with it.

However, I was unable to reproduce the issue with grizzly, or as a crashtest, even in the test-verify mode.

Attempts to run the garbage collector manually with `TestUtils::Gc` and with the [JS::NonIncrementalGC method](https://searchfox.org/mozilla-central/rev/ee2ad260c25310a9fbf96031de05bbc0e94394cc/dom/base/fuzztest/FuzzStructuredClone.cpp#44) also didn't produce any findings, neither with the attached test case nor with the `idb-binary-key*.htm` web platform tests which cover this code.

Back to Bug 1895951 Comment 7