Closed Bug 1018638 Opened 10 years ago Closed 10 years ago

Zone groups can include zones that are not being collected

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla32
Tracking Flags:
Tracking Status
firefox30 --- unaffected
firefox31 --- unaffected
firefox32 --- fixed
firefox-esr24 --- unaffected
b2g-v1.2 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- fixed

People

(Reporter: billm, Assigned: billm)

References

Details

(Keywords: regression, sec-high)

Attachments

(1 file)

zone-fix
2.33 KB, patch
jonco
: review+
Details | Diff | Splinter Review 
I was doing some testing of zone GCs today to try to track down the cause of the assertion failures in bug 1016738 and I found this problem. This means that, whenever we use GCZoneGroupIter or GCCompartmentGroupIter, we're potentially iterating over zones/compartments that aren't being collected. I'm not sure what the consequences of this are. We rarely do zone GCs, so it's not likely to happen too much. But zone GCs can be triggered by allocating a lot, so it's a potential security issue. Looks like a regression from bug 982561.
Attached patch zone-fixSplinter Review 

        Attachment #8432156 -
        Flags: review?(jcoppeard)

    
    

    
  
Comment on attachment 8432156 [details] [diff] [review]
zone-fix

Review of attachment 8432156 [details] [diff] [review]:
-----------------------------------------------------------------

Ah yes, I missed that possibility.  Thanks for the fix.

        Attachment #8432156 -
        Flags: review?(jcoppeard) → review+
Keywords: sec-high

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/cb3e958fc249
Status: NEW → RESOLVED
Closed: 10 years ago

          status-b2g-v1.2:
          --- → unaffected

          status-b2g-v1.3:
          --- → unaffected

          status-b2g-v1.3T:
          --- → unaffected

          status-b2g-v1.4:
          --- → unaffected

          status-b2g-v2.0:
          --- → fixed

          status-firefox30:
          --- → unaffected

          status-firefox32:
          affectedfixed

          status-firefox-esr24:
          --- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla32

    
    

    
  
Looks like we found this from an audit. If a test case or steps to reproduce surface, we'd be happy to verify the fix, but for now, marking qe-verify-. Thank you.
QA Whiteboard: qe-verify-
QA Whiteboard: qe-verify-
Flags: qe-verify-
Group: core-security
Keywords: regression

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: