Closed
Bug 1127246
Opened 10 years ago
Closed 10 years ago
baseShapes table is not updated after generational GC
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
mozilla38
Tracking | Status | |
---|---|---|
firefox35 | --- | wontfix |
firefox36 | + | fixed |
firefox37 | + | fixed |
firefox38 | + | fixed |
firefox-esr31 | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | fixed |
b2g-master | --- | fixed |
People
(Reporter: jonco, Assigned: jonco)
References
Details
(Keywords: sec-high, Whiteboard: [adv-main36+])
Attachments
(3 files, 2 obsolete files)
13.32 KB,
patch
|
jonco
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
12.78 KB,
patch
|
jonco
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
13.12 KB,
patch
|
jonco
:
review+
Sylvestre
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The baseShapes table is keyed based on parent and metadata objects pointers, both of which may be in the nursery. It needs a postbarrier to rekey entries if these objects are moved on generational GC.
Forking this issue from bug 1124563.
Assignee | ||
Comment 1•10 years ago
|
||
Add a check to see if the contents of the baseShapes table are valid. This causes our tests to fail if we enable the checks with zeal mode 13.
Attachment #8556479 -
Flags: review?(terrence)
Assignee | ||
Comment 2•10 years ago
|
||
I had an idea to mark generic barriers first to get rid of the problem where hashtable barriers see an inconsistent view of, where the table's keys have are based on original object locations but their values contain object pointers that have already been updated by other barriers.
Sadly this doesn't work, because moving the entry in the generic barrier means that the barriers for any pointers in the value now have the wrong address.
I've just fixed this in the same way we use for other barriers, by giving the lookup structure the ability to match an entry for which the key hash and key value contents are based on prior and updated object pointers respectively.
Attachment #8556481 -
Flags: review?(terrence)
Assignee | ||
Comment 3•10 years ago
|
||
This issue has been present since we enabled GGC in bug 619558.
Blocks: GenerationalGC
status-firefox35:
--- → affected
status-firefox36:
--- → affected
status-firefox37:
--- → affected
status-firefox38:
--- → affected
status-firefox-esr31:
--- → unaffected
Updated•10 years ago
|
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → affected
status-b2g-master:
--- → affected
Comment 4•10 years ago
|
||
This sounds like it could result in dead pointers, though it also sounds difficult to exploit.
Updated•10 years ago
|
Attachment #8556479 -
Flags: review?(terrence) → review+
Comment 5•10 years ago
|
||
Comment on attachment 8556481 [details] [diff] [review]
post-barrier-base-shapes-table
Review of attachment 8556481 [details] [diff] [review]:
-----------------------------------------------------------------
Nice!
::: js/public/HashTable.h
@@ +252,5 @@
> if (old_key != new_key)
> rekeyAs(old_key, new_key, new_key);
> }
>
> // Infallibly rekey one entry, if present.
Please extend the comment to explain the bool being returned.
@@ +473,5 @@
> if (old_value != new_value)
> rekeyAs(old_value, new_value, new_value);
> }
>
> // Infallibly rekey one entry, if present.
Ditto.
Attachment #8556481 -
Flags: review?(terrence) → review+
Assignee | ||
Comment 6•10 years ago
|
||
Combined patch with review comments addressed.
Attachment #8556479 -
Attachment is obsolete: true
Attachment #8556481 -
Attachment is obsolete: true
Attachment #8557038 -
Flags: review+
Assignee | ||
Comment 7•10 years ago
|
||
Comment on attachment 8557038 [details] [diff] [review]
bug1127246-post-barrier-base-shapes-table
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
Very hard.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
Everything back to FF32.
If not all supported branches, which bug introduced the flaw?
Bug 619558.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch should apply directly or with minimal changes.
How likely is this patch to cause regressions; how much testing does it need?
Unlikely to cause regressions.
Attachment #8557038 -
Flags: sec-approval?
Comment 8•10 years ago
|
||
sec-approval+ for trunk. I'd like to see Aurora and Beta patches nominated and then checked in as well to get it in the next beta.
Updated•10 years ago
|
Attachment #8557038 -
Flags: sec-approval? → sec-approval+
Comment 9•10 years ago
|
||
Jon, could you land and fill the uplift requests so that we have it in beta asap? Thanks
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 10•10 years ago
|
||
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 11•10 years ago
|
||
Attachment #8557906 -
Flags: review+
Assignee | ||
Comment 12•10 years ago
|
||
Rebased patch for mozilla-beta, carrying r+.
Attachment #8557907 -
Flags: review+
Comment 13•10 years ago
|
||
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Comment 14•10 years ago
|
||
Jon, sorry to bother you again but we would also need the uplift request, thanks!
Flags: needinfo?(jcoppeard)
Assignee | ||
Comment 15•10 years ago
|
||
Comment on attachment 8557906 [details] [diff] [review]
baseShapes-patch-aurora
Approval Request Comment
[Feature/regressing bug #]: Bug 619558.
[User impact if declined]: Possible stability/security issue.
[Describe test coverage new/current, TreeHerder]: On m-c for 24 hours.
[Risks and why]: Low risk.
[String/UUID change made/needed]: None.
Flags: needinfo?(jcoppeard)
Attachment #8557906 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 16•10 years ago
|
||
Comment on attachment 8557907 [details] [diff] [review]
baseShapes-patch-beta
Approval Request Comment
[Feature/regressing bug #]: Bug 619558.
[User impact if declined]: Possible stability/security issue.
[Describe test coverage new/current, TreeHerder]: On m-c for 24 hours.
[Risks and why]: Low risk.
[String/UUID change made/needed]: None.
Attachment #8557907 -
Flags: approval-mozilla-beta?
Comment 17•10 years ago
|
||
Comment on attachment 8557907 [details] [diff] [review]
baseShapes-patch-beta
Thanks
Attachment #8557907 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Updated•10 years ago
|
Attachment #8557906 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 18•10 years ago
|
||
Updated•10 years ago
|
Comment 19•10 years ago
|
||
Updated•10 years ago
|
Whiteboard: [adv-main36+]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•