Closed Bug 1618131 Opened 5 years ago Closed 5 years ago

Improve compacting GC assertions and poisoning

Categories

(Core :: JavaScript: GC, task, P1)

Product:
Core
Component:
JavaScript: GC
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla75
Tracking Flags:
Tracking Status
firefox-esr68 --- fixed
firefox75 --- fixed

People

(Reporter: jonco, Assigned: jonco)

References

Details

Attachments

(2 files)

Bug 1618131 - Assert that compacting GC only ever updates unmoved GC things or new copies of moved things and never the old copy r=jandem
47 bytes, text/x-phabricator-request
Details | Review
Bug 1618131 - Poison moved GC thing contents sooner r=jandem
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr68+
Details | Review

These patches were originally written for bug 1600895.

This makes sure we will detect use of the contents of moved GC things during the update phase of the GC, not just when we return to the mutator as previously. Annoyingly we need to preserve contents for native objects with fixed elements because the elements flags are stored there and these may be accessed from other objects if they are COW elements.

This caught a use of unforwarded scripts during invalidation caused by OOM during sweeping type information.

Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/86e126a20395 Assert that compacting GC only ever updates unmoved GC things or new copies of moved things and never the old copy r=jandem https://hg.mozilla.org/integration/autoland/rev/e3c661a8798f Poison moved GC thing contents sooner r=jandem
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d9a9dd047d64 Assert that compacting GC only ever updates unmoved GC things or new copies of moved things and never the old copy r=jandem https://hg.mozilla.org/integration/autoland/rev/ea0a05b19edb Poison moved GC thing contents sooner r=jandem

https://hg.mozilla.org/mozilla-central/rev/d9a9dd047d64
https://hg.mozilla.org/mozilla-central/rev/ea0a05b19edb

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox75: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla75
Flags: needinfo?(jcoppeard)
Regressions: 1618880

Comment on attachment 9129086 [details]
Bug 1618131 - Poison moved GC thing contents sooner r=jandem

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Required for bug 1618880. This is a possible GC crash / security vulnerability.
  • User impact if declined: Possible GC crash / security vulnerability.
  • Fix Landed on Version: 75
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): This is a small patch that adds some debug-only poisoning and forwards some GC pointers in a couple of places.
  • String or UUID changes made by this patch: None
Attachment #9129086 - Flags: approval-mozilla-esr68?

Comment on attachment 9129086 [details]
Bug 1618131 - Poison moved GC thing contents sooner r=jandem

Prereq patch needed for bug 1618880. Approved for 68.7esr.

Attachment #9129086 - Flags: approval-mozilla-esr68? → approval-mozilla-esr68+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: