Closed Bug 1056899 Opened 11 years ago Closed 11 years ago

Don't free COW elements until the end of object finalization

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla34
Tracking Flags:
Tracking Status
firefox33 --- unaffected
firefox34 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: bhackett1024, Assigned: bhackett1024)

References

Details

(Keywords: csectype-uaf, sec-high)

Attachments

(1 file)

patch
2.54 KB, patch
jonco
: review+
Details | Diff | Splinter Review
Jon noticed this while working on compacting GC. If an owner object with COW elements is finalized before other objects pointing to its elements are, then during finalization those other objects could use the now freed elements pointer. The attached patch fixes this by not freeing COW elements until the FreeOp itself is destroyed, which will happen after all objects have been finalized.
Attached patch patchSplinter Review
Assignee: nobody → bhackett1024
Comment on attachment 8476744 [details] [diff] [review] patch Review of attachment 8476744 [details] [diff] [review]: ----------------------------------------------------------------- Thanks for fixing. It would be nice if we could get around the unhandleable OOM situation, but I can't see a straightforward way to do that.
Attachment #8476744 - Flags: review+
Unfortunately FreeOp can't be MOZ_STACK_CLASS because of runtime->defaultFreeOp(). The default free op isn't used for GC thing finalization though so I just added an assert in freeLater(). https://hg.mozilla.org/integration/mozilla-inbound/rev/2f5bca505197
https://hg.mozilla.org/mozilla-central/rev/2f5bca505197
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox34: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: