bugzilla.mozilla.org has resumed normal operation. Attachments prior to 2014 will be unavailable for a few days. This is tracked in Bug 1475801.
Please report any other irregularities here.

Watchpoint needs a readBarriered during incremental GC

RESOLVED INVALID

Status

()

Core
JavaScript Engine
RESOLVED INVALID
6 years ago
6 years ago

People

(Reporter: terrence, Assigned: billm)

Tracking

Trunk
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:p1])

(Reporter)

Description

6 years ago
If the handler assigns the passed object during an incremental GC, then it will escape the weakmap in an unsafe way.
(In reply to Terrence Cole [:terrence] from comment #0)
> If the handler assigns the passed object during an incremental GC, then it
> will escape the weakmap in an unsafe way.

Could you assign a security rating?
Whiteboard: [js:p1]
(Reporter)

Updated

6 years ago
Keywords: sec-critical
status-firefox16: --- → affected
status-firefox17: --- → affected
tracking-firefox16: --- → +
tracking-firefox17: --- → +
Summary: Watchpoint needs a readBarriered → Watchpoint needs a readBarriered during incremental GC
Whiteboard: [js:p1] → [js:p1:fx17]
Whiteboard: [js:p1:fx17] → [js:p1]
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
Now I'm thinking that this is not a bug. The place where the read barrier would need to be invoked is triggerWatchpoint. And the read barrier would need to be invoked on the |obj| argument. However, |obj| must already be live at this point because a watchpoint was triggered on it.

Terrence, do you agree? If so, I'll add a comment and we can close the bug.
(Reporter)

Comment 3

6 years ago
I agree.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → INVALID

Comment 4

6 years ago
Fixing branch flags.
status-firefox-esr10: unaffected → ---
status-firefox15: unaffected → ---
status-firefox16: affected → ---
status-firefox17: affected → ---
tracking-firefox16: + → ---
tracking-firefox17: + → ---
Group: core-security
Keywords: sec-critical
You need to log in before you can comment on or make changes to this bug.