Last Comment Bug 765034 - GC hazard during global object creation
: GC hazard during global object creation
Status: RESOLVED FIXED
[advisory-tracking-][qa-]
: regression, sec-high
Product: Core
Classification: Components
Component: DOM (show other bugs)
: unspecified
: All All
: -- normal (vote)
: mozilla16
Assigned To: Bill McCloskey (:billm)
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks: 744772
  Show dependency treegraph
 
Reported: 2012-06-14 14:35 PDT by Bill McCloskey (:billm)
Modified: 2012-08-14 08:16 PDT (History)
6 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
fixed
fixed
fixed
unaffected


Attachments
fix (1.64 KB, patch)
2012-06-14 14:35 PDT, Bill McCloskey (:billm)
bzbarsky: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
Details | Diff | Splinter Review

Description Bill McCloskey (:billm) 2012-06-14 14:35:31 PDT
Created attachment 633279 [details] [diff] [review]
fix

If we GC right after we create a JSCLASS_DOM_GLOBAL global object, the DOM_PROTOTYPE_SLOT hasn't been set yet. The GC will call TraceProtoOrIfaceCache and crash because it doesn't check if it's okay to call GetProtoOrIfaceArray.

This is unlikely to cause a problem in practice, but it's stopping me from running a browser with GC zeal set.
Comment 1 Boris Zbarsky [:bz] (still a bit busy) 2012-06-14 21:50:41 PDT
Comment on attachment 633279 [details] [diff] [review]
fix

r=me
Comment 3 Ed Morley [:emorley] 2012-06-19 01:23:47 PDT
https://hg.mozilla.org/mozilla-central/rev/3f164ec683a5
Comment 4 Daniel Veditz [:dveditz] 2012-06-22 11:35:05 PDT
Do we want or need this fix on previous branches?
Comment 5 Bill McCloskey (:billm) 2012-06-26 13:59:12 PDT
Comment on attachment 633279 [details] [diff] [review]
fix

I guess we should probably take this on branches. It's an easy fix and it may be exploitable.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 744772
User impact if declined: Possible security hole.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Low.
String or UUID changes made by this patch: None.
Comment 6 Lukas Blakk [:lsblakk] use ?needinfo 2012-06-27 10:04:26 PDT
Comment on attachment 633279 [details] [diff] [review]
fix

Looks small enough and low risk assessment suggests we're good to land this on beta/aurora.  Please update status flags once landed and also confirm if we need this on and can land it to the ESR branch as well.
Comment 8 Alex Keybl [:akeybl] 2012-07-05 16:34:46 PDT
(In reply to Bill McCloskey (:billm) from comment #7)
> https://hg.mozilla.org/releases/mozilla-aurora/rev/5a9b4f19f1b4
> https://hg.mozilla.org/releases/mozilla-beta/rev/99bb1f06b597

Given status flags in bug 744772, the ESR branch is unaffected.

Note You need to log in before you can comment on or make changes to this bug.