Closed
Bug 775785
Opened 12 years ago
Closed 12 years ago
Watchpoint needs a readBarriered during incremental GC
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
INVALID
People
(Reporter: terrence, Assigned: billm)
Details
(Whiteboard: [js:p1])
If the handler assigns the passed object during an incremental GC, then it will escape the weakmap in an unsafe way.
Comment 1•12 years ago
|
||
(In reply to Terrence Cole [:terrence] from comment #0) > If the handler assigns the passed object during an incremental GC, then it > will escape the weakmap in an unsafe way. Could you assign a security rating?
Whiteboard: [js:p1]
Reporter | ||
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
status-firefox16:
--- → affected
status-firefox17:
--- → affected
tracking-firefox16:
--- → +
tracking-firefox17:
--- → +
Updated•12 years ago
|
Summary: Watchpoint needs a readBarriered → Watchpoint needs a readBarriered during incremental GC
Updated•12 years ago
|
Whiteboard: [js:p1] → [js:p1:fx17]
Updated•12 years ago
|
Whiteboard: [js:p1:fx17] → [js:p1]
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → unaffected
Assignee | ||
Comment 2•12 years ago
|
||
Now I'm thinking that this is not a bug. The place where the read barrier would need to be invoked is triggerWatchpoint. And the read barrier would need to be invoked on the |obj| argument. However, |obj| must already be live at this point because a watchpoint was triggered on it. Terrence, do you agree? If so, I'll add a comment and we can close the bug.
Reporter | ||
Comment 3•12 years ago
|
||
I agree.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Comment 4•12 years ago
|
||
Fixing branch flags.
status-firefox-esr10:
unaffected → ---
status-firefox15:
unaffected → ---
status-firefox16:
affected → ---
status-firefox17:
affected → ---
tracking-firefox16:
+ → ---
tracking-firefox17:
+ → ---
Updated•12 years ago
|
Group: core-security
Keywords: sec-critical
You need to log in
before you can comment on or make changes to this bug.
Description
•