Last Comment Bug 765034 - GC hazard during global object creation
: GC hazard during global object creation
: regression, sec-high
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
-- normal (vote)
: mozilla16
Assigned To: Bill McCloskey (:billm)
: Andrew Overholt [:overholt]
Depends on:
Blocks: 744772
  Show dependency treegraph
Reported: 2012-06-14 14:35 PDT by Bill McCloskey (:billm)
Modified: 2012-08-14 08:16 PDT (History)
6 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

fix (1.64 KB, patch)
2012-06-14 14:35 PDT, Bill McCloskey (:billm)
bzbarsky: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description User image Bill McCloskey (:billm) 2012-06-14 14:35:31 PDT
Created attachment 633279 [details] [diff] [review]

If we GC right after we create a JSCLASS_DOM_GLOBAL global object, the DOM_PROTOTYPE_SLOT hasn't been set yet. The GC will call TraceProtoOrIfaceCache and crash because it doesn't check if it's okay to call GetProtoOrIfaceArray.

This is unlikely to cause a problem in practice, but it's stopping me from running a browser with GC zeal set.
Comment 1 User image Boris Zbarsky [:bz] (still a bit busy) 2012-06-14 21:50:41 PDT
Comment on attachment 633279 [details] [diff] [review]

Comment 3 User image Ed Morley [:emorley] 2012-06-19 01:23:47 PDT
Comment 4 User image Daniel Veditz [:dveditz] 2012-06-22 11:35:05 PDT
Do we want or need this fix on previous branches?
Comment 5 User image Bill McCloskey (:billm) 2012-06-26 13:59:12 PDT
Comment on attachment 633279 [details] [diff] [review]

I guess we should probably take this on branches. It's an easy fix and it may be exploitable.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 744772
User impact if declined: Possible security hole.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Low.
String or UUID changes made by this patch: None.
Comment 6 User image Lukas Blakk [:lsblakk] use ?needinfo 2012-06-27 10:04:26 PDT
Comment on attachment 633279 [details] [diff] [review]

Looks small enough and low risk assessment suggests we're good to land this on beta/aurora.  Please update status flags once landed and also confirm if we need this on and can land it to the ESR branch as well.
Comment 8 User image Alex Keybl [:akeybl] 2012-07-05 16:34:46 PDT
(In reply to Bill McCloskey (:billm) from comment #7)

Given status flags in bug 744772, the ESR branch is unaffected.

Note You need to log in before you can comment on or make changes to this bug.