Closed
Bug 826649
Opened 12 years ago
Closed 12 years ago
GC: Recalculation of GC fullness in EndSweepPhase broken
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla21
| Tracking | Status | |
|---|---|---|
| firefox18 | --- | unaffected |
| firefox19 | --- | unaffected |
| firefox20 | + | fixed |
| firefox21 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: jonco, Assigned: jonco)
References
Details
(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [adv-main20-])
Attachments
(1 file, 4 obsolete files)
|
10.73 KB,
patch
|
billm
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Bug 790338 re-broke calculation of whether the GC is full vs. compartmental in EndSweepPhase (I can't find the original defect right now).
|
||
Comment 1•12 years ago
|
||
That seems like it could do bad things to how we schedule GC and CC.
|
Assignee | |
Comment 2•12 years ago
|
||
Fix the issue and add regression tests.
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
||
Comment 3•12 years ago
|
||
Ah, yes, this problem. Bug 801957 is the one you were thinking of. Thanks for writing regression tests, as this is clearly a touchy area of the code. :)
|
|
||
Updated•12 years ago
|
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
|
|
||
Updated•12 years ago
|
Assignee: general → jcoppeard
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 4•12 years ago
|
||
Attachment #697909 -
Attachment is obsolete: true
Attachment #698758 -
Flags: review?(wmccloskey)
Comment on attachment 698758 [details] [diff] [review]
Proposed fix
Review of attachment 698758 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/builtin/TestingFunctions.cpp
@@ +1072,5 @@
> bool
> js::DefineTestingFunctions(JSContext *cx, HandleObject obj)
> {
> +#ifdef JS_GC_ZEAL
> + JS_SetFinalizeCallback(cx->runtime, TestFinalizeCallback);
This code can execute from the browser, in which case it will conflict with the browser's finalize callback.
I think this might work better as a JSAPI test. Can you try that instead?
::: js/src/jsgc.cpp
@@ +4327,5 @@
> AssertCanGC();
> Collect(rt, true, SliceBudget::Unlimited, gckind, reason);
> }
>
> +static bool CompartmentsSelected(JSRuntime *rt)
Need a newline between bool and the function name.
Attachment #698758 -
Flags: review?(wmccloskey)
|
|
Assignee | |
Comment 6•12 years ago
|
||
Attachment #698758 -
Attachment is obsolete: true
Attachment #699312 -
Flags: review?(wmccloskey)
Comment on attachment 699312 [details] [diff] [review]
Fix with updated test code
Review of attachment 699312 [details] [diff] [review]:
-----------------------------------------------------------------
::: js/src/jsapi-tests/testGCFinalizeCallback.cpp
@@ +16,5 @@
> +
> +static void
> +FinalizeCallback(JSFreeOp *fop, JSFinalizeStatus status, JSBool isCompartmentGC)
> +{
> + if (FinalizeCalls < BufferSize) {
It looks like some tab characters snuck in here. Please replace with spaces.
@@ +97,5 @@
> + CHECK(checkFinalizeIsCompartmentGC(true));
> +
> +#ifdef JS_GC_ZEAL
> +
> + /* Full GC with reset due to new compartment, becoming compartment GC. */
Another tab here.
Attachment #699312 -
Flags: review?(wmccloskey) → review+
|
||
Updated•12 years ago
|
status-firefox21:
--- → affected
tracking-firefox21:
--- → +
|
|
Assignee | |
Comment 8•12 years ago
|
||
Attachment #699312 -
Attachment is obsolete: true
|
|
Assignee | |
Comment 9•12 years ago
|
||
Attachment #701064 -
Attachment is obsolete: true
Comment on attachment 701106 [details] [diff] [review]
Also fix whitespace issues in patch
Please take the printf out of the test.
Attachment #701106 -
Flags: review+
|
|
Assignee | |
Comment 11•12 years ago
|
||
|
|
Assignee | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
|
Assignee | |
Comment 12•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/31f4f50447e8
Note wrong bug number in commit message!
|
|
||
Comment 13•12 years ago
|
||
You should nominate the patch for Aurora approval, if you think it is ready to land there.
|
||
Updated•12 years ago
|
|
|
Assignee | |
Comment 14•12 years ago
|
||
Comment on attachment 701106 [details] [diff] [review]
Also fix whitespace issues in patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 790338
User impact if declined: Potential to cause crashes, hence security issue
Testing completed (on m-c, etc.): This patch has been on m-c for about a week
Risk to taking this patch (and alternatives if risky): low risk, restores original behaviour before regression
String or UUID changes made by this patch: none
Attachment #701106 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 15•12 years ago
|
||
Comment on attachment 701106 [details] [diff] [review]
Also fix whitespace issues in patch
Approving on aurora as it has a low risk patch restoring original behavior, which led to this regression. Tested on m-c for a week.
Attachment #701106 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 16•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/07e1d48fd8f7
(With bug # fixed)
|
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
||
Updated•12 years ago
|
Whiteboard: [adv-main20-]
|
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•