GC issue in jsshell with `addMarkObservers`
Categories
(Core :: JavaScript: GC, defect, P1)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox80 | --- | fixed |
People
(Reporter: cffsmith, Assigned: jonco)
Details
Attachments
(1 file)
This sample triggers a gc issue, accessing already free-poisoned memory, which seems to result from a call to the addMarkObservers builtin. This is triggered during fuzzing even with the --fuzzing-safe flag enabled.
function main() {
const v3 = {get:Object};
const v5 = Object.defineProperty(Object,0,v3);
addMarkObservers(Object, -1)
gc();
}
main();
It fails on the following assertion:
Assertion failure: flags() == 0, at /home/builder/firefox/js/src/gc/Cell.h:737
This is very likely no security issue as it requires access to the addMarkObservers builtin but I am filing this as a security issue just in case it can be triggered through a different method.
|
||
Comment 1•4 years ago
|
||
Jon, since this seems to be a GC issue I moving to the GC category, could you take a look at this?
|
||
Updated•4 years ago
|
|
Assignee | |
Comment 2•4 years ago
|
||
This is shell-only problem in addMarkObservers.
|
|
Assignee | |
Comment 3•4 years ago
|
||
The problem is that it's not enough to evit the nursery once at the start of addMarkObservers since JS_GetElement can end up running a getter that creates new objects.
|
||
Updated•4 years ago
|
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/2cded7ee7fb2 Make addMarkObservers evict the nursery for every nursery-allocated argument it finds r=sfink
|
||
Comment 5•4 years ago
|
||
| bugherder | ||
Description
•