Closed Bug 543768 Opened 15 years ago Closed 7 years ago

~ScriptObject isn't safe

Categories

(Tamarin Graveyard :: Virtual Machine, defect, P3)

Product:
Tamarin Graveyard
Component:
Virtual Machine
Platform:
x86
macOS
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX
Milestone:
Q1 12 - Brannan

People

(Reporter: treilly, Unassigned)

Details

This function assumes vtable and vtable->traits are still around which isn't valid. I've never seen this in practice but I'm pretty sure it could happen easily at shutdown if you have lots of ScriptObject's bigger than their vtable/traits objects lingering (we finalize in size order). We have no mechanism to finalize ScriptObjects before other objects and no mechanism to keep vtable's/trait's around until all ScriptObjects are finalized but something like that is needed. Or we have to store the data needed to destroy properly in the ScriptObject (bad space trade off).
It's been like this in one way or another pretty much forever, so we must be pretty lucky...
One more reason to fix finalization semantics.
Flags: flashplayer-qrb+
Priority: -- → P3
Target Milestone: --- → flash10.2
I'm going to attempt to exploit this, if it can be made to crash we might think about fixing it sooner than later.
Flags: flashplayer-bug+
Target Milestone: Q3 11 - Serrano → Q1 12 - Brannan
Flags: flashplayer-injection-
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.