Closed Bug 1004276 Opened 6 years ago Closed 3 years ago

Assert that we do not GC in the middle of a CC slice

Categories

(Core :: XPCOM, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
mozilla51
Tracking Status
firefox51 --- fixed

People

(Reporter: terrence, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: sec-audit, Whiteboard: [post-critsmash-triage][adv-main51-])

Attachments

(1 file, 1 obsolete file)

Attached patch no_gc_in_cc-v0.diff (obsolete) — Splinter Review
After some feedback from :mccr8, this was able to browse around techcrunch, cnn, and passed octane. I'd like to push this to try, but bug 994028.
Attachment #8415644 - Flags: review?(continuation)
Attachment #8415644 - Flags: review?(continuation) → review+
Group: core-security
Depends on: 1005119
This turned up a security issue.  See bug 1005119.
Keywords: sec-audit
Blocks: GC.stability
Group: core-security → dom-core-security
I know we have assertions on insertion into the GraphBuilder that the nodes we're adding are not in the nursery, so I think that this is not actually a problem in practice. That said, I have no idea *why* that assertion passes. We can certainly GC after building the graph during Unlink (we run JS there), but I guess the graph is already gone by then? I'm not sure how we keep compacting from ruining our world in that case.

Either way we need more assertions around this interaction. I think the patch attached here is a good starting place, but I'd also like assertion on Heap<T>::get that we are not in one of these regions -- e.g. that we do not try to ExposeToActiveJS in the middle of deleting stuff from the CC.
Assignee: terrence → nobody
Status: ASSIGNED → NEW
Rebased. We renamed the method and stuff moved around a bit in the CC.
Attachment #8415644 - Attachment is obsolete: true
Attachment #8790464 - Flags: review+
See Also: → 1297558
https://hg.mozilla.org/mozilla-central/rev/b1df9ae6cce2
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Group: dom-core-security → core-security-release
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main51-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.