Closed
Bug 826649
Opened 12 years ago
Closed 11 years ago
GC: Recalculation of GC fullness in EndSweepPhase broken
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla21
Tracking | Status | |
---|---|---|
firefox18 | --- | unaffected |
firefox19 | --- | unaffected |
firefox20 | + | fixed |
firefox21 | + | fixed |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: jonco, Assigned: jonco)
References
Details
(Keywords: csectype-uaf, regression, sec-critical, Whiteboard: [adv-main20-])
Attachments
(1 file, 4 obsolete files)
10.73 KB,
patch
|
billm
:
review+
bajaj
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Bug 790338 re-broke calculation of whether the GC is full vs. compartmental in EndSweepPhase (I can't find the original defect right now).
Comment 1•12 years ago
|
||
That seems like it could do bad things to how we schedule GC and CC.
Assignee | ||
Comment 2•12 years ago
|
||
Fix the issue and add regression tests.
Updated•12 years ago
|
Group: core-security
Comment 3•12 years ago
|
||
Ah, yes, this problem. Bug 801957 is the one you were thinking of. Thanks for writing regression tests, as this is clearly a touchy area of the code. :)
Updated•12 years ago
|
status-firefox18:
--- → unaffected
status-firefox19:
--- → unaffected
Updated•12 years ago
|
Assignee: general → jcoppeard
Updated•12 years ago
|
Assignee | ||
Comment 4•11 years ago
|
||
Attachment #697909 -
Attachment is obsolete: true
Attachment #698758 -
Flags: review?(wmccloskey)
Comment on attachment 698758 [details] [diff] [review] Proposed fix Review of attachment 698758 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/builtin/TestingFunctions.cpp @@ +1072,5 @@ > bool > js::DefineTestingFunctions(JSContext *cx, HandleObject obj) > { > +#ifdef JS_GC_ZEAL > + JS_SetFinalizeCallback(cx->runtime, TestFinalizeCallback); This code can execute from the browser, in which case it will conflict with the browser's finalize callback. I think this might work better as a JSAPI test. Can you try that instead? ::: js/src/jsgc.cpp @@ +4327,5 @@ > AssertCanGC(); > Collect(rt, true, SliceBudget::Unlimited, gckind, reason); > } > > +static bool CompartmentsSelected(JSRuntime *rt) Need a newline between bool and the function name.
Attachment #698758 -
Flags: review?(wmccloskey)
Assignee | ||
Comment 6•11 years ago
|
||
Attachment #698758 -
Attachment is obsolete: true
Attachment #699312 -
Flags: review?(wmccloskey)
Comment on attachment 699312 [details] [diff] [review] Fix with updated test code Review of attachment 699312 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsapi-tests/testGCFinalizeCallback.cpp @@ +16,5 @@ > + > +static void > +FinalizeCallback(JSFreeOp *fop, JSFinalizeStatus status, JSBool isCompartmentGC) > +{ > + if (FinalizeCalls < BufferSize) { It looks like some tab characters snuck in here. Please replace with spaces. @@ +97,5 @@ > + CHECK(checkFinalizeIsCompartmentGC(true)); > + > +#ifdef JS_GC_ZEAL > + > + /* Full GC with reset due to new compartment, becoming compartment GC. */ Another tab here.
Attachment #699312 -
Flags: review?(wmccloskey) → review+
Updated•11 years ago
|
status-firefox21:
--- → affected
tracking-firefox21:
--- → +
Assignee | ||
Comment 8•11 years ago
|
||
Attachment #699312 -
Attachment is obsolete: true
Assignee | ||
Comment 9•11 years ago
|
||
Attachment #701064 -
Attachment is obsolete: true
Comment on attachment 701106 [details] [diff] [review] Also fix whitespace issues in patch Please take the printf out of the test.
Attachment #701106 -
Flags: review+
Assignee | ||
Comment 11•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/31f4f50447e8
Assignee | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 12•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/31f4f50447e8 Note wrong bug number in commit message!
Comment 13•11 years ago
|
||
You should nominate the patch for Aurora approval, if you think it is ready to land there.
Updated•11 years ago
|
Assignee | ||
Comment 14•11 years ago
|
||
Comment on attachment 701106 [details] [diff] [review] Also fix whitespace issues in patch [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 790338 User impact if declined: Potential to cause crashes, hence security issue Testing completed (on m-c, etc.): This patch has been on m-c for about a week Risk to taking this patch (and alternatives if risky): low risk, restores original behaviour before regression String or UUID changes made by this patch: none
Attachment #701106 -
Flags: approval-mozilla-aurora?
Comment 15•11 years ago
|
||
Comment on attachment 701106 [details] [diff] [review] Also fix whitespace issues in patch Approving on aurora as it has a low risk patch restoring original behavior, which led to this regression. Tested on m-c for a week.
Attachment #701106 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 16•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/07e1d48fd8f7 (With bug # fixed)
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
Updated•11 years ago
|
Whiteboard: [adv-main20-]
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•