Closed Bug 775785 Opened 12 years ago Closed 12 years ago

Watchpoint needs a readBarriered during incremental GC

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: terrence, Assigned: billm)

Details

(Whiteboard: [js:p1]) 

If the handler assigns the passed object during an incremental GC, then it will escape the weakmap in an unsafe way.
(In reply to Terrence Cole [:terrence] from comment #0)
> If the handler assigns the passed object during an incremental GC, then it
> will escape the weakmap in an unsafe way.

Could you assign a security rating?
Whiteboard: [js:p1]
Keywords: sec-critical
Summary: Watchpoint needs a readBarriered → Watchpoint needs a readBarriered during incremental GC
Whiteboard: [js:p1] → [js:p1:fx17]
Whiteboard: [js:p1:fx17] → [js:p1]
Now I'm thinking that this is not a bug. The place where the read barrier would need to be invoked is triggerWatchpoint. And the read barrier would need to be invoked on the |obj| argument. However, |obj| must already be live at this point because a watchpoint was triggered on it.

Terrence, do you agree? If so, I'll add a comment and we can close the bug.
I agree.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → INVALID
Group: core-security
Keywords: sec-critical
You need to log in before you can comment on or make changes to this bug.