Closed Bug 1291928 Opened 6 years ago Closed 6 years ago

Add a missing Expose for JSSavedStack::mStack


(Core :: DOM: Core & HTML, defect)

Not set



Tracking Status
firefox50 --- fixed
firefox51 --- fixed


(Reporter: terrence, Assigned: terrence)




(1 file)

I finally got the ExposeToActiveJS GC zeal mode more or less working. Before the browser even starts, we hit an error with a stack containing mozilla::dom::PromiseJobCallback::Call, which is at least proximate to the stacks from W(2) in our landing yesterday. The gray value is right in a rooted, which we can trivially follow backwards to a missing Expose call, as per the attached patch.
Attachment #8777600 - Flags: review?(bzbarsky)
Comment on attachment 8777600 [details] [diff] [review]

r=me.  Good catch!  Also, good to know about the zeal mode.  ;)
Attachment #8777600 - Flags: review?(bzbarsky) → review+
Unfortunately, it's still not in a landable state. I opened the tree of bugs at [1] to try to get our runtime marking code to a place where it's sane to add more complexity. It also is too slow to open a browser window. Stuff starts timing out, even with an allocation gap of 100000. Not really surprising I suppose. Instead we'll have to use it via TestingFunctions once the browser is already loaded, which I believe is how browser fuzzing happens anyway. 

Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Depends on: 1300650
Depends on: 1300871
No longer depends on: 1300650
No longer depends on: 1300871
Comment on attachment 8777600 [details] [diff] [review]

Approval Request Comment
[Feature/regressing bug #]: Incremental CC, found by the assertions in bug 1283634.
[User impact if declined]: Intermittent crashes.
[Describe test coverage new/current, TreeHerder]: It's been on TH for a week and no longer hits the assertions.
[Risks and why]: There was a slow trickle of hard-to-exploit UAF crashes in previous branches caused by missing ExposeToActiveJS barriers in a few places. We added an assertion that catches these in bug 1283634. We'd like to uplift the fixes to Aurora to solve the crashes 6 weeks earlier than we otherwise might. The impact is relatively low, but the patches are also extremely simple and low risk. Aurora seems like the right balance here.
[String/UUID change made/needed]: None.
Attachment #8777600 - Flags: approval-mozilla-aurora?
Comment on attachment 8777600 [details] [diff] [review]

Fix has stabilized on Nightly for a few weeks, Aurora50+
Attachment #8777600 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Depends on: 1305236
You need to log in before you can comment on or make changes to this bug.