Add a missing Expose for JSSavedStack::mStack

RESOLVED FIXED in Firefox 50

Status

()

defect
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: terrence, Assigned: terrence)

Tracking

Trunk
mozilla51
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox50 fixed, firefox51 fixed)

Details

Attachments

(1 attachment)

I finally got the ExposeToActiveJS GC zeal mode more or less working. Before the browser even starts, we hit an error with a stack containing mozilla::dom::PromiseJobCallback::Call, which is at least proximate to the stacks from W(2) in our landing yesterday. The gray value is right in a rooted, which we can trivially follow backwards to a missing Expose call, as per the attached patch.
Attachment #8777600 - Flags: review?(bzbarsky)
Comment on attachment 8777600 [details] [diff] [review]
expose_savedstacks-v0.diff

r=me.  Good catch!  Also, good to know about the zeal mode.  ;)
Attachment #8777600 - Flags: review?(bzbarsky) → review+
Unfortunately, it's still not in a landable state. I opened the tree of bugs at [1] to try to get our runtime marking code to a place where it's sane to add more complexity. It also is too slow to open a browser window. Stuff starts timing out, even with an allocation gap of 100000. Not really surprising I suppose. Instead we'll have to use it via TestingFunctions once the browser is already loaded, which I believe is how browser fuzzing happens anyway. 

1- https://bugzilla.mozilla.org/showdependencytree.cgi?id=1290603&hide_resolved=1
https://hg.mozilla.org/mozilla-central/rev/492d8382a49c
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Depends on: 1300650
Depends on: 1300871
No longer depends on: 1300650
No longer depends on: 1300871
Comment on attachment 8777600 [details] [diff] [review]
expose_savedstacks-v0.diff

Approval Request Comment
[Feature/regressing bug #]: Incremental CC, found by the assertions in bug 1283634.
[User impact if declined]: Intermittent crashes.
[Describe test coverage new/current, TreeHerder]: It's been on TH for a week and no longer hits the assertions.
[Risks and why]: There was a slow trickle of hard-to-exploit UAF crashes in previous branches caused by missing ExposeToActiveJS barriers in a few places. We added an assertion that catches these in bug 1283634. We'd like to uplift the fixes to Aurora to solve the crashes 6 weeks earlier than we otherwise might. The impact is relatively low, but the patches are also extremely simple and low risk. Aurora seems like the right balance here.
[String/UUID change made/needed]: None.
Attachment #8777600 - Flags: approval-mozilla-aurora?
Comment on attachment 8777600 [details] [diff] [review]
expose_savedstacks-v0.diff

Fix has stabilized on Nightly for a few weeks, Aurora50+
Attachment #8777600 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Depends on: 1305236
You need to log in before you can comment on or make changes to this bug.