Closed
Bug 1446372
Opened 6 years ago
Closed 3 years ago
Audit interaction of Nursery and TI
Categories
(Core :: JavaScript Engine, enhancement, P2)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
People
(Reporter: tcampbell, Unassigned)
References
Details
(Keywords: sec-audit)
Jan and I are investigating some potential issues with TI and GC interactions. Currently we have TypeRefSet entries in StoreBuffer to link type data and nursery objects. The TI data is *not* a GCThing and actually is moved/compacted during incremental sweep. Generally, things all work out fine, but the reasons are very fragile. Eg. Bug 1407143 will potentially open us up to corruption.
|
Reporter | |
Comment 1•6 years ago
|
||
One concern is |ConstraintDataFreezeObjectForTypedArrayData::obj|. Currently TypeSetRef::sweep will visit this, but TypeSetRef::trace(TenuringTracer) will miss it. This may lead to stale GC pointers.
|
||
Updated•6 years ago
|
Priority: -- → P1
|
|
Reporter | |
Comment 2•6 years ago
|
||
(In reply to Ted Campbell [:tcampbell] from comment #1) > One concern is |ConstraintDataFreezeObjectForTypedArrayData::obj|. Currently > TypeSetRef::sweep will visit this, but TypeSetRef::trace(TenuringTracer) > will miss it. This may lead to stale GC pointers. This is addressed by |StoreBuffer::setShouldCancelIonCompilations()| being set before adding any from TI to nursery objects. Of course this raises the follow-up questions of "Is is possible the cancel compilation mechanism has a bug?" and "Is it possible we missing a |ConstraintTypeSet::postWriteBarrier|?". For the first one we should probably add a RELEASE_ASSERT in the Ion Linker that the StoreBuffer hasn't indicated Ion compiles should be cancelled. For the second one, I just need to audit the sites that add types or group object sets.
|
|
Reporter | |
Comment 3•6 years ago
|
||
postWriteBarriers look currently used for all TypeSet::add (that aren't TemporaryTypeSet). We allow Ion compiles to complete while having nursery pointers since they will be caught in sweep. As far as I can tell, it all looks right, and I don't see any accidental regressions over the years. Hopefully the TI poisoning assert gives something useful.
|
|
||
Updated•6 years ago
|
Priority: P1 → P2
|
|
Reporter | |
Comment 4•3 years ago
|
||
The solution to this complex mess was to remove TI entirely
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
|
||
Updated•3 years ago
|
Group: javascript-core-security → core-security-release
|
||
Updated•2 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•