I finally got the ExposeToActiveJS GC zeal mode more or less working. Before the browser even starts, we hit an error with a stack containing mozilla::dom::PromiseJobCallback::Call, which is at least proximate to the stacks from W(2) in our landing yesterday. The gray value is right in a rooted, which we can trivially follow backwards to a missing Expose call, as per the attached patch.
Attachment #8777600 - Flags: review?(bzbarsky)
Comment on attachment 8777600 [details] [diff] [review] expose_savedstacks-v0.diff r=me. Good catch! Also, good to know about the zeal mode. ;)
Attachment #8777600 - Flags: review?(bzbarsky) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/492d8382a49c86b16f758edb67b46d061adac5fc Bug 1291928 - Expose JSSavedStack's stack before returning; r=bz
Unfortunately, it's still not in a landable state. I opened the tree of bugs at  to try to get our runtime marking code to a place where it's sane to add more complexity. It also is too slow to open a browser window. Stuff starts timing out, even with an allocation gap of 100000. Not really surprising I suppose. Instead we'll have to use it via TestingFunctions once the browser is already loaded, which I believe is how browser fuzzing happens anyway. 1- https://bugzilla.mozilla.org/showdependencytree.cgi?id=1290603&hide_resolved=1
Comment on attachment 8777600 [details] [diff] [review] expose_savedstacks-v0.diff Approval Request Comment [Feature/regressing bug #]: Incremental CC, found by the assertions in bug 1283634. [User impact if declined]: Intermittent crashes. [Describe test coverage new/current, TreeHerder]: It's been on TH for a week and no longer hits the assertions. [Risks and why]: There was a slow trickle of hard-to-exploit UAF crashes in previous branches caused by missing ExposeToActiveJS barriers in a few places. We added an assertion that catches these in bug 1283634. We'd like to uplift the fixes to Aurora to solve the crashes 6 weeks earlier than we otherwise might. The impact is relatively low, but the patches are also extremely simple and low risk. Aurora seems like the right balance here. [String/UUID change made/needed]: None.
Attachment #8777600 - Flags: approval-mozilla-aurora?
Comment on attachment 8777600 [details] [diff] [review] expose_savedstacks-v0.diff Fix has stabilized on Nightly for a few weeks, Aurora50+
Attachment #8777600 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.