GC issue in jsshell with `addMarkObservers`
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox80 | --- | fixed |
People
(Reporter: cffsmith, Assigned: jonco)
Details
Attachments
(1 file)
This sample triggers a gc issue, accessing already free-poisoned memory, which seems to result from a call to the addMarkObservers
builtin. This is triggered during fuzzing even with the --fuzzing-safe
flag enabled.
function main() {
const v3 = {get:Object};
const v5 = Object.defineProperty(Object,0,v3);
addMarkObservers(Object, -1)
gc();
}
main();
It fails on the following assertion:
Assertion failure: flags() == 0, at /home/builder/firefox/js/src/gc/Cell.h:737
This is very likely no security issue as it requires access to the addMarkObservers
builtin but I am filing this as a security issue just in case it can be triggered through a different method.
Comment 1•4 years ago
|
||
Jon, since this seems to be a GC issue I moving to the GC category, could you take a look at this?
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
This is shell-only problem in addMarkObservers.
Assignee | ||
Comment 3•4 years ago
|
||
The problem is that it's not enough to evit the nursery once at the start of addMarkObservers since JS_GetElement can end up running a getter that creates new objects.
Updated•4 years ago
|
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2cded7ee7fb2 Make addMarkObservers evict the nursery for every nursery-allocated argument it finds r=sfink
Comment 5•4 years ago
|
||
bugherder |
Description
•