WeakMaps can become gray after being marked black
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
People
(Reporter: jonco, Assigned: jonco)
References
(Regression)
Details
(Keywords: csectype-other, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main68+])
Attachments
(1 file, 1 obsolete file)
|
47 bytes,
text/x-phabricator-request
|
jcristau
:
approval-mozilla-beta+
|
Details | Review |
I added some more tests for weak map marking and ran into a bug: if we mark a weak map gray after it has already been marked black, it changes colour black to gray. This should not happen. (This refers to the weak map's internal concept of its color, not that of its associated JSObject).
I don't know how it would be possible to exploit this but it makes sense to hide this just in case.
|
||
Comment 1•5 years ago
|
||
It feels like the worst that can happen here is a reference from a black object to a gray object, but I think the worst that can do is a "use after unlink", which will result null pointer dereferences, unless there are other bugs in code, so I'll mark it sec-moderate.
|
|
||
Updated•5 years ago
|
|
Assignee | |
Comment 2•5 years ago
|
||
We shouldn't allow a weak map to become gray after it has already been marked black.
Depends on D30948
|
|
Assignee | |
Comment 3•5 years ago
|
||
This releases all foreground finalized arenas at the end of sweeping the sweep group rather than at the end of sweeping the zone (for objects) or immediately (for everything else) as happens currently. This simplifies the code in a couple of places and I don't think it will have any noticeable effects.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 4•5 years ago
|
||
Comment on attachment 9065353 [details]
Bug 1552118 - Don't release foreground finalized arenas until the end of sweeping the zone group r=sfink
I uploaded this patch to the wrong bug though - this is a fix for bug 1552118.
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 5•5 years ago
|
||
Comment on attachment 9065353 [details]
Bug 1552118 - Don't release foreground finalized arenas until the end of sweeping the zone group r=sfink
Revision D31415 was moved to bug 1552118. Setting attachment 9065353 [details] to obsolete.
|
|
Assignee | |
Comment 6•5 years ago
|
||
|
||
Comment 7•5 years ago
|
||
|
|
||
Updated•5 years ago
|
|
||
Comment 8•5 years ago
|
||
I'm guessing we'll want to nominate this for Beta uplift at least. Do we want this on ESR60 also?
|
|
Assignee | |
Comment 9•5 years ago
|
||
Comment on attachment 9065345 [details]
Bug 1551907 - Fix interaction between gray unmarking and weakmap marking r=sfink
Beta/Release Uplift Approval Request
- User impact if declined: Possible crash / security vulnerability.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change to the code is very simple and is covered by additional tests in the patch.
- String changes made/needed:
|
|
Assignee | |
Comment 10•5 years ago
|
||
Comment on attachment 9065345 [details]
Bug 1551907 - Fix interaction between gray unmarking and weakmap marking r=sfink
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: I don't know how easy this would be to trigger but it has the potential to be a crash / security vulnerability. The fix is simple so it would be nice to take this.
- User impact if declined: Possible crash / security vulnerability.
- Fix Landed on Version: 69
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This is a simple change that is covered by tests in the patch.
- String or UUID changes made by this patch:
|
||
Comment 11•5 years ago
|
||
Comment on attachment 9065345 [details]
Bug 1551907 - Fix interaction between gray unmarking and weakmap marking r=sfink
sec fix in GC, approved for 68.0b4
|
|
||
Comment 12•5 years ago
|
||
The patch has conflicts with bug 1551275. Please provide a patch which applies cleanly.
|
|
Assignee | |
Comment 13•5 years ago
|
||
(In reply to Sebastian Hengst [:aryx] (needinfo on intermittent or backout) from comment #12)
Sorry, this does require uplift of bug 1551275. I'll request.
|
|
||
Comment 14•5 years ago
|
||
| uplift | ||
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Comment 15•5 years ago
|
||
Comment on attachment 9065345 [details]
Bug 1551907 - Fix interaction between gray unmarking and weakmap marking r=sfink
Fixes a possibly s-s GC crash. Includes automated tests. Approved for 60.8esr.
|
|
||
Comment 16•5 years ago
|
||
Please provide a patch for ESR60. There are conflicts due to bug 1479388 (at least).
|
|
Assignee | |
Comment 17•5 years ago
|
||
Turns out that this bug was introduced in bug 1463462 with landed in FF66 so the backport is not required.
|
|
Assignee | |
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
|
||
Updated•4 years ago
|
|
||
Updated•2 years ago
|
Description
•