Closed Bug 1056899 Opened 7 years ago Closed 7 years ago

Don't free COW elements until the end of object finalization

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla34
Tracking Status
firefox33 --- unaffected
firefox34 --- fixed
firefox-esr31 --- unaffected

People

(Reporter: bhackett1024, Assigned: bhackett1024)

References

Details

(Keywords: csectype-uaf, sec-high)

Attachments

(1 file)

Jon noticed this while working on compacting GC.  If an owner object with COW elements is finalized before other objects pointing to its elements are, then during finalization those other objects could use the now freed elements pointer.  The attached patch fixes this by not freeing COW elements until the FreeOp itself is destroyed, which will happen after all objects have been finalized.
Attached patch patchSplinter Review
Assignee: nobody → bhackett1024
OS: Mac OS X → All
Hardware: x86 → All
Duplicate of this bug: 1056898
Comment on attachment 8476744 [details] [diff] [review]
patch

Review of attachment 8476744 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks for fixing.

It would be nice if we could get around the unhandleable OOM situation, but I can't see a straightforward way to do that.
Attachment #8476744 - Flags: review+
Unfortunately FreeOp can't be MOZ_STACK_CLASS because of runtime->defaultFreeOp().  The default free op isn't used for GC thing finalization though so I just added an assert in freeLater().

https://hg.mozilla.org/integration/mozilla-inbound/rev/2f5bca505197
https://hg.mozilla.org/mozilla-central/rev/2f5bca505197
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Group: core-security
You need to log in before you can comment on or make changes to this bug.