Closed Bug 935228 Opened 11 years ago Closed 11 years ago

JSD.pause and unPause can attempt to toggle debug traps on non-debug mode Baseline scripts

Categories

(Core :: JavaScript Engine: JIT, defect)

Product:
Core
Component:
JavaScript Engine: JIT
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla28
Tracking Flags:
Tracking Status
firefox25 --- wontfix
firefox26 --- wontfix
firefox27 --- fixed
firefox28 --- fixed
firefox-esr24 --- wontfix
b2g18 --- unaffected
b2g-v1.2 --- unaffected

People

(Reporter: shu, Assigned: shu)

References

Details

(Keywords: sec-moderate, Whiteboard: [adv-main27-] exploit requires Firebug plus a malicious addon that uses Firebug)

Attachments

(2 files)

Toggle debug traps only in debug mode. (r=?)
3.20 KB, patch
jandem
: review+
Details | Diff | Splinter Review
Toggle debug traps only in debug mode. (
3.17 KB, patch
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta-
Details | Diff | Splinter Review
JSD.pause and unPause promise to persist any breakpoints set on JSScripts [1], but we need to invalidate JIT code when toggling debug mode. This can get into a inconsistent state where we try to patch toggled calls on a non-debug mode BaselineScript. Setting s-s because the patching is only guarded by an assert, and it could corrupt the instruction stream.
Blocks: 815603
We need to check this because something like JSCompartment::clearTraps tries to toggle debug traps if hasBaselineScript(), without regard for whether or not that BL script is in debug mode.
Attachment #827821 - Flags: review?(jdemooij)
Assignee: nobody → shu
Status: NEW → ASSIGNED
Comment on attachment 827821 [details] [diff] [review] Toggle debug traps only in debug mode. (r=?) Review of attachment 827821 [details] [diff] [review]: ----------------------------------------------------------------- Good catch.
Attachment #827821 - Flags: review?(jdemooij) → review+
Keywords: sec-high
https://hg.mozilla.org/mozilla-central/rev/fe63bf2c6a3a
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
status-firefox28: --- → fixed
Resolution: --- → FIXED
sec-high and no security approval?
Target Milestone: --- → mozilla28
I'm going to guess this affects everything aside from b2g18.
status-b2g18: --- → unaffected
status-firefox25: --- → wontfix
status-firefox26: --- → affected
status-firefox27: --- → affected
status-firefox-esr24: --- → affected
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Is this sec-high if it can only be caused by Firebug?
I was using the heuristic of bumping it down a level (from sec-critical) because it is Firebug related. Is this something that can happen during the normal operation of Firebug, or something that would require a malicious Firebug-like addon?
(In reply to Andrew McCreight [:mccr8] from comment #11) > I was using the heuristic of bumping it down a level (from sec-critical) > because it is Firebug related. > > Is this something that can happen during the normal operation of Firebug, or > something that would require a malicious Firebug-like addon? It would require a malicious addon that uses JSD. Which... is nonexistent AFAIK.
Comment on attachment 8341334 [details] [diff] [review] Toggle debug traps only in debug mode. ( [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 754201 most recently. Not sure what introduced AutoDebugModeGC initially. User impact if declined: Firebug unusable with many tabs. Firebug has worked around this by disabling JITs permanently if it's on, which is in some ways worse since it slows down *all* tabs. Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): GC behavior changes surfacing existing leaks/OOMs. When landing on m-c new leaks were surfaced (and eventually fixed). I am nominating those fixes for uplift also. String or IDL/UUID changes made by this patch: None The Firebug slowness metabug is bug 815603. List of bugs I'm nominating for uplift in this batch: - bug 936143 - bug 935228 - bug 933882 - bug 935470 - bug 942346 - bug 934799
Attachment #8341334 - Flags: approval-mozilla-beta?
Attachment #8341334 - Flags: approval-mozilla-aurora?
Thanks for the explanation. sec-moderate makes more sense then.
Keywords: sec-highsec-moderate
Comment on attachment 8341334 [details] [diff] [review] Toggle debug traps only in debug mode. ( We can take this on Aurora and thus it will be on Beta in a week, but we're way past the point of taking untracked, major change to Firefox 26 as we are going to build our final candidate today as well as the RC.
Attachment #8341334 - Flags: approval-mozilla-beta?
Attachment #8341334 - Flags: approval-mozilla-beta-
Attachment #8341334 - Flags: approval-mozilla-aurora?
Attachment #8341334 - Flags: approval-mozilla-aurora+
Shu, IIUC this can be closed, right?
Flags: needinfo?(shu)
Status: REOPENED → RESOLVED
Closed: 11 years ago11 years ago
Resolution: --- → FIXED
Actually I'm not sure why it stayed open anyways, because it was REOPENED?
Flags: needinfo?(shu)
(In reply to Shu-yu Guo [:shu] from comment #20) > Actually I'm not sure why it stayed open anyways, because it was REOPENED? Security bugs are resolved manually. He probably just forgot.
Whiteboard: [adv-main27-]
Whiteboard: [adv-main27-] → [adv-main27-] exploit requires Firebug plus a malicious addon that uses Firebug
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: