Closed Bug 1652583 Opened 5 years ago Closed 5 years ago

Potential issue with WeakMap collection with uncollected value zone

Categories

(Core :: JavaScript: GC, defect, P1)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla80
Tracking Flags:
Tracking Status
firefox80 --- fixed

People

(Reporter: sfink, Assigned: sfink)

Details

(Keywords: sec-audit, Whiteboard: [adv-main80-])

Attachments

(1 file)

Bug 1652583 - Check that WeakMaps (and subclasses) are same-zone with their values
47 bytes, text/x-phabricator-request
Details | Review

In looking at bug 1647747, I realized I'm not sure how this stuff works in some cross-zone cases. Specifically, consider the case where the value is in a different zone from the map. The value zone is being collected, but the map zone is not. If a WeakMap entry is the only thing keeping a value alive, then it seems like the value would not be marked and would end up getting swept, leaving a dangling pointer (and UAF).

In practice, it seems like we mostly avoid this: a regular WeakMap appears to normally be same-zone with its keys and values, and a DebuggerWeakMap is same-zone with its values. Except that a regular WeakMap might have a value in the atoms compartment, and I don't know why that couldn't result in the above scenario.

I attempted to construct a shell test that would trigger this, and it did not fail, so perhaps we have some kind of backstop that kicks in here. I haven't stepped through it yet to understand why.

Ah. There's a shape that holds an edge to my atom. I'll need to come up with a trickier way of getting something into the atoms zone.

A Symbol works better, but I still haven't managed to trigger a failure. Need to look into it more.

Group: core-security → javascript-core-security

It it's just the atoms zone, then the atom marking bitmap handles that. We mark atoms that are referenced by uncollected zones in AtomMarkingRuntime::markAtomsUsedByUncollectedZones.

Yeah, you're right. It still feels a little fragile, but I guess the per-Zone atom marking bitmap kind of serves the same purpose as the cross-compartment wrapper map in terms of being sort of a store buffer for incoming edges.

So this depends on values either being same-zone with the map, or being in the atoms zone. I have a patch that checks this, and it seems to hold.

Assignee: nobody → sphink
Status: NEW → ASSIGNED

Filed bug 1652891 for the original problem I was worried about, which is what got me to thinking about this one.

Severity: -- → S4
Priority: -- → P1
Keywords: sec-audit

Weakmaps are all same-zone with their values, which avoids this issue. I'll be landing the patch that asserts this.

Group: javascript-core-security
Pushed by sfink@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/106aaee30016 Check that WeakMaps (and subclasses) are same-zone with their values r=jonco

https://hg.mozilla.org/mozilla-central/rev/106aaee30016

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox80: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla80
Whiteboard: [adv-main80-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: