Open Bug 1523268 (PHC) Opened 3 years ago Updated 4 days ago

[meta] PHC (Probabilistic Heap Checker): a port of Chromium's GWP-ASan project to Firefox


(Core :: Memory Allocator, enhancement, P2)





(Reporter: decoder, Assigned: decoder)


(Depends on 3 open bugs, )


(Keywords: meta, sec-want)

The GWP-ASan project is a debug tool written by Google for Chrome. It’s purpose is to detect certain types of memory errors (including use-after-free). Unlike regular AddressSanitizer (ASan), the GWP-ASan project does this in a more lightweight and sampled way, meaning that each allocation is only checked with a certain probability.

The overall goal of our project is to port gwp-asan to Firefox including crash reporter support and deploy it to various channels, depending on how performance works out.

Depends on: 1523276
Depends on: 1523278
Priority: -- → P3
Depends on: 1567065
Alias: gwp-asan → PHC
Summary: [meta] Port the GWP-ASan project to Firefox → [meta] PHC (Probabilistic Heap Checker): a port of Chromium's GWP-ASan project to Firefox
Depends on: 1569862
Depends on: 1569864
Depends on: 1574388
Depends on: 1574390
Depends on: 1428235
Depends on: 1576515
No longer depends on: 1569862
No longer depends on: 1574388
No longer depends on: 1523276

Is this bug also going to be used to track crashes found with PHC, or is there a separate meta for that?

It is currently being used to track crashes, but if someone wanted to create a separate bug for that I wouldn't object.

Depends on: 1604335
Depends on: 1614875
Depends on: 1618158
Depends on: 1633112
Depends on: 1679430

Notes from discussion:

  • It might be handy to have some way to mark certain allocations as having a higher probability of being covered by PHC, but this may need significant code work.
  • It may be useful to apply PHC selectively to some processes (especially wrt Fission), but then make the "backlog" of not-freed-to-the-os allocations much larger to increase the probability of finding UAF.
Severity: major → S4
Priority: P3 → P2
Component: General → Memory Allocator
Product: Firefox → Core
Depends on: 1712084
Depends on: 1631981
Depends on: 1741905
You need to log in before you can comment on or make changes to this bug.