Closed Bug 541790 Opened 10 years ago Closed 10 years ago

Too early check for rt->gcKeepAtoms in js_GC


(Core :: JavaScript Engine, defect)

Not set



Tracking Status
blocking2.0 --- alpha1+
status1.9.2 --- ?
status1.9.1 --- ?


(Reporter: igor, Assigned: igor)



(Whiteboard: fixed-in-tracemonkey)


(1 file, 1 obsolete file)

This is a spin-off of the bug 538275 comment 34.

js_GC queries rt->gcKeepAtoms before it suspends all running requests. As such it may query the flag before another thread set it and then suspend its current requests, perhaps via calling the last-ditch GC or via calling js_InvokeOperationCallback.

In theory this could be exploited with thread-workers to circumvent the GC safety. The worker can, for example, constantly run Object.prototype.toSource or other code that relies rt->gcKeepAtoms for GC safety and that periodically calls js_InvokeOperationCallback. In the mean time the main thread can try to trigger the last-ditch GC. But it is highly non-trivial to build a reliable exploit based on that.
Attached patch fix v1 (obsolete) — Splinter Review
The fix moves keepAtoms initialization after we know that all other requests are suspended. The patch also moved purge-related calls before the restart label. The purpose of the restart is to collect more garbage released during js_RemoveRoot and friends called from the finalizers, it cannot affect js_PurgeThreads or rt->builtinFunctions.
Attachment #423224 - Flags: review?(jorendorff)
Attached patch fix v2Splinter Review
There is another problem related to keepAtoms. If the last ditch GC waits for a full GC running on another thread, that full GC would collect atoms violating the assumptions about the last-ditch GC.

The new patch fixes that via calling JS_(KEEP|UNKEEP)_ATOMS around the waiting code.
Attachment #423224 - Attachment is obsolete: true
Attachment #423231 - Flags: review?(jorendorff)
Attachment #423224 - Flags: review?(jorendorff)
Comment on attachment 423231 [details] [diff] [review]
fix v2

Thanks for fixing this.
Attachment #423231 - Flags: review?(jorendorff) → review+
Whiteboard: fixed-in-tracemonkey
blocking2.0: ? → alpha1
Marking this as fixed based on above comment to get it off the alpha blocker list.
Closed: 10 years ago
Resolution: --- → FIXED
Depends on: 544656
Group: core-security
You need to log in before you can comment on or make changes to this bug.