Closed
Bug 1323241
Opened 8 years ago
Closed 8 years ago
Don't report that cells are gray when we don't know
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
mozilla53
People
(Reporter: jonco, Assigned: jonco)
References
Details
(Keywords: sec-moderate, Whiteboard: [post-critsmash-triage][adv-main52+])
Attachments
(2 files)
|
12.47 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
|
12.59 KB,
patch
|
jcristau
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The gray marking state can become invalid if we OOM while unmarking gray. In that case we could report things as gray when they are not. I guess that makes this s-s since the cycle collector may consider them for collection incorrectly.
This patch changes the API functions to just return false if the gray marking state is invalid.
I moved the validity flag from GCRuntime to the shadow runtime so that we could carry on inling the IsMarkedGray checks. I'm not sure that's essential.
Attachment #8818324 -
Flags: review?(sphink)
|
||
Updated•8 years ago
|
Attachment #8818324 -
Attachment is patch: true
|
|
||
Updated•8 years ago
|
Keywords: sec-moderate
|
||
Comment 1•8 years ago
|
||
Comment on attachment 8818324 [details] [diff] [review]
gray-marking-validity
Review of attachment 8818324 [details] [diff] [review]:
-----------------------------------------------------------------
Finally noticing the review requests buried in my secure bugmail. Sorry for the delay. Looks good to me.
Attachment #8818324 -
Flags: review?(sphink) → review+
|
||
Comment 2•8 years ago
|
||
Backed out from inbound for causing frequent GC crashes as noted in bug 1329359.
https://hg.mozilla.org/integration/mozilla-inbound/rev/d57eaa1f1bd99363e66fc1fe9359c6189acbe26d
https://treeherder.mozilla.org/logviewer.html#?job_id=66966501&repo=mozilla-inbound
https://treeherder.mozilla.org/logviewer.html#?job_id=66975242&repo=mozilla-inbound
https://treeherder.mozilla.org/logviewer.html#?job_id=66981825&repo=mozilla-inbound
https://treeherder.mozilla.org/logviewer.html#?job_id=66969499&repo=mozilla-inbound
https://treeherder.mozilla.org/logviewer.html#?job_id=66966777&repo=mozilla-inbound
https://treeherder.mozilla.org/logviewer.html#?job_id=66965883&repo=mozilla-inbound
etc
|
Assignee | |
Comment 3•8 years ago
|
||
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox53:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
|
||
Updated•8 years ago
|
Group: javascript-core-security → core-security-release
|
|
Assignee | |
Comment 6•8 years ago
|
||
Approval Request Comment
[Feature/Bug causing the regression]: Since forever.
[User impact if declined]: Possible crashes / spurious assertion failures in testing.
[Is this code covered by automated tests?]: Yes.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: It's a fairly simple change to report GC things as gray less often. It's been on m-c since 9th Jan.
[String changes made/needed]: None.
Flags: needinfo?(jcoppeard)
Attachment #8833269 -
Flags: approval-mozilla-beta?
|
||
Comment 7•8 years ago
|
||
Attachment #8833269 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 8•8 years ago
|
||
| uplift | ||
status-firefox52:
--- → fixed
|
|
||
Comment 9•8 years ago
|
||
status-firefox-esr52:
--- → fixed
|
||
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main52+]
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•