Closed Bug 1652891 Opened 5 years ago Closed 5 years ago

WeakMap key delegate could fail to preserve key if map zone is not collected

Categories

(Core :: JavaScript: GC, defect, P3)

Product:
Core
Component:
JavaScript: GC
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: sfink, Unassigned)

Details

Say you have a weakmap -- in this case, it'll need to be a DebuggerWeakMap -- with a key that has a delegate, and the map, key, and delegate are all in different zones. You collect the key and delegate zones, but not the map zone.

There are no other edges to the key, but the delegate is very much alive.

As a result, you never scan the map, so the delegate will not preserve the key. The key will die, the weakmap entry will be swept.

Later, you look up the delegate (wrapped into a CCW in the original key compartment) and fail to find it.

I can't figure out why this wouldn't happen, though I'm also not good enough at the Debugger API to construct this scenario. I may be wrong. Perhaps the Debugger manages to scan its weakmaps in this case?

When the delegate zone enters weak marking mode, it will scan its gcWeakKeys. But it won't be populated in this case, because the map was never traced.

At least the observed behavior would just be the loss of expandos on a Debugger.Object, not a UAF.

Handled in https://searchfox.org/mozilla-central/rev/1b95a0179507a4dc7d4b0c94c2df420dc1a72885/js/src/debugger/Debugger.cpp#3621-3656

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.