JSAutoTempValueRooter(...) is bad mojo

RESOLVED FIXED

Status

()

Core
JavaScript Engine
P1
critical
RESOLVED FIXED
8 years ago
8 years ago

People

(Reporter: Waldo, Assigned: Waldo)

Tracking

({verified1.9.1})

Trunk
verified1.9.1
Points:
---
Bug Flags:
blocking1.9.2 +
wanted1.9.0.x -

Firefox Tracking Flags

(status1.9.2 beta1-fixed, blocking1.9.1 .4+, status1.9.1 .4-fixed)

Details

(Whiteboard: [sg:critical?] (possible gc race condition?) fixed-in-tracemonkey)

Attachments

(1 attachment)

Creates a root, immediately unroots, value expected to be protected, isn't.  Yikes.
Created attachment 402673 [details] [diff] [review]
Patch
Attachment #402673 - Flags: review?(dvander)
Attachment #402673 - Flags: review?(dvander) → review+
http://hg.mozilla.org/tracemonkey/rev/33825a77eba8
Whiteboard: fixed-in-tracemonkey
Attachment #402673 - Flags: approval1.9.1.5?
Attachment #402673 - Flags: approval1.9.1.4?
Comment on attachment 402673 [details] [diff] [review]
Patch

This is minimal enough that it could easily be added to 1.9.1.4, if sufficient time remains, without any meaningful worries.  I leave it up to approvers to consider whether it's worthwhile -- it'd be hard to get the failure precisely so for it to matter, but I think it is worthwhile to do it now rather than give people extra time to play with this.

Since this is a C++-only failure 1.9.0 is not affected; I presume a 1.9.2 merge by sayrer will pick this up in due course.
Flags: blocking1.9.2?
Could use a merge to m-c, leaving to the traditional merger so as not to cross the streams...
If this is a potential security problem we should hide the bug. We've treated this kind of problem as potentially [sg:critical?] in the past so we should hide the bug until it's fixed.
Group: core-security
blocking1.9.1: --- → ?
status1.9.1: --- → wanted
Flags: wanted1.9.0.x-
Whiteboard: fixed-in-tracemonkey → [sg:critical?] (possible gc race condition?) fixed-in-tracemonkey
Comment on attachment 402673 [details] [diff] [review]
Patch

Approved for 1.9.1.4, a=dveditz for release-drivers

trivial fix, better safe than sorry.
Attachment #402673 - Flags: approval1.9.1.5?
Attachment #402673 - Flags: approval1.9.1.4?
Attachment #402673 - Flags: approval1.9.1.4+
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/eedb768cfbb8
status1.9.1: wanted → .4-fixed

Comment 8

8 years ago
looks like at least one person has hit this:

http://crash-stats.mozilla.com/report/index/a7412eac-60f6-4c0f-8706-ec6282090922
Verified for 1.9.1 in source.
Keywords: verified1.9.1
blocking1.9.1: ? → .4+

Updated

8 years ago
Flags: blocking1.9.2? → blocking1.9.2+

Updated

8 years ago
Priority: -- → P1

Comment 10

8 years ago
http://hg.mozilla.org/mozilla-central/rev/33825a77eba8
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED

Comment 11

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/dc75d52e2357
status1.9.2: --- → beta1-fixed
Group: core-security
You need to log in before you can comment on or make changes to this bug.