Closed
Bug 1291928
Opened 8 years ago
Closed 8 years ago
Add a missing Expose for JSSavedStack::mStack
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla51
People
(Reporter: terrence, Assigned: terrence)
References
Details
Attachments
(1 file)
866 bytes,
patch
|
bzbarsky
:
review+
ritu
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
I finally got the ExposeToActiveJS GC zeal mode more or less working. Before the browser even starts, we hit an error with a stack containing mozilla::dom::PromiseJobCallback::Call, which is at least proximate to the stacks from W(2) in our landing yesterday. The gray value is right in a rooted, which we can trivially follow backwards to a missing Expose call, as per the attached patch.
Attachment #8777600 -
Flags: review?(bzbarsky)
Comment 1•8 years ago
|
||
Comment on attachment 8777600 [details] [diff] [review] expose_savedstacks-v0.diff r=me. Good catch! Also, good to know about the zeal mode. ;)
Attachment #8777600 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 2•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/492d8382a49c86b16f758edb67b46d061adac5fc Bug 1291928 - Expose JSSavedStack's stack before returning; r=bz
Assignee | ||
Comment 3•8 years ago
|
||
Unfortunately, it's still not in a landable state. I opened the tree of bugs at [1] to try to get our runtime marking code to a place where it's sane to add more complexity. It also is too slow to open a browser window. Stuff starts timing out, even with an allocation gap of 100000. Not really surprising I suppose. Instead we'll have to use it via TestingFunctions once the browser is already loaded, which I believe is how browser fuzzing happens anyway. 1- https://bugzilla.mozilla.org/showdependencytree.cgi?id=1290603&hide_resolved=1
Comment 4•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/492d8382a49c
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Assignee | ||
Comment 5•8 years ago
|
||
Comment on attachment 8777600 [details] [diff] [review] expose_savedstacks-v0.diff Approval Request Comment [Feature/regressing bug #]: Incremental CC, found by the assertions in bug 1283634. [User impact if declined]: Intermittent crashes. [Describe test coverage new/current, TreeHerder]: It's been on TH for a week and no longer hits the assertions. [Risks and why]: There was a slow trickle of hard-to-exploit UAF crashes in previous branches caused by missing ExposeToActiveJS barriers in a few places. We added an assertion that catches these in bug 1283634. We'd like to uplift the fixes to Aurora to solve the crashes 6 weeks earlier than we otherwise might. The impact is relatively low, but the patches are also extremely simple and low risk. Aurora seems like the right balance here. [String/UUID change made/needed]: None.
Attachment #8777600 -
Flags: approval-mozilla-aurora?
status-firefox50:
--- → affected
Comment on attachment 8777600 [details] [diff] [review] expose_savedstacks-v0.diff Fix has stabilized on Nightly for a few weeks, Aurora50+
Attachment #8777600 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 7•8 years ago
|
||
bugherder uplift |
https://hg.mozilla.org/releases/mozilla-aurora/rev/404c54eecb4d
You need to log in
before you can comment on or make changes to this bug.
Description
•