Closed
Bug 1018638
Opened 10 years ago
Closed 10 years ago
Zone groups can include zones that are not being collected
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
FIXED
mozilla32
Tracking | Status | |
---|---|---|
firefox30 | --- | unaffected |
firefox31 | --- | unaffected |
firefox32 | --- | fixed |
firefox-esr24 | --- | unaffected |
b2g-v1.2 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.3T | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | fixed |
People
(Reporter: billm, Assigned: billm)
References
Details
(Keywords: regression, sec-high)
Attachments
(1 file)
2.33 KB,
patch
|
jonco
:
review+
|
Details | Diff | Splinter Review |
I was doing some testing of zone GCs today to try to track down the cause of the assertion failures in bug 1016738 and I found this problem. This means that, whenever we use GCZoneGroupIter or GCCompartmentGroupIter, we're potentially iterating over zones/compartments that aren't being collected. I'm not sure what the consequences of this are. We rarely do zone GCs, so it's not likely to happen too much. But zone GCs can be triggered by allocating a lot, so it's a potential security issue. Looks like a regression from bug 982561.
Assignee | ||
Comment 1•10 years ago
|
||
Attachment #8432156 -
Flags: review?(jcoppeard)
Updated•10 years ago
|
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
Comment 2•10 years ago
|
||
Comment on attachment 8432156 [details] [diff] [review] zone-fix Review of attachment 8432156 [details] [diff] [review]: ----------------------------------------------------------------- Ah yes, I missed that possibility. Thanks for the fix.
Attachment #8432156 -
Flags: review?(jcoppeard) → review+
Assignee | ||
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb3e958fc249
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/cb3e958fc249
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → fixed
status-firefox30:
--- → unaffected
status-firefox-esr24:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Comment 6•10 years ago
|
||
Looks like we found this from an audit. If a test case or steps to reproduce surface, we'd be happy to verify the fix, but for now, marking qe-verify-. Thank you.
QA Whiteboard: qe-verify-
Updated•10 years ago
|
QA Whiteboard: qe-verify-
Flags: qe-verify-
Updated•10 years ago
|
Group: core-security
Keywords: regression
You need to log in
before you can comment on or make changes to this bug.
Description
•