зеркало из https://github.com/mozilla/gecko-dev.git
74f4da63ac
When marking a BaseShape we mark its global, and we read the pointer to that global from the realm. If a realm doesn't have a live global we can sweep the realm but there may still be pointers to it in base shapes and these are left dangling. This happens when we hit OOM while creating a global during an incremental GC. The BaseShape survives because it was allocated after the start of the GC. The global itself is never successfully created and so the realm doesn't have a live global and is swept. In this case, we trigger UAF when we try to compact the heap and trace the base shape. The patch adds an extra case for keeping a realm alive if it was created during an incremental GC. This matches the way that GC things are not collected if they are allocated after the start of a GC. Differential Revision: https://phabricator.services.mozilla.com/D158022 |
||
|---|---|---|
| .. | ||
| examples | ||
| loader | ||
| public | ||
| src | ||
| xpconnect | ||
| app.mozbuild | ||
| ffi.configure | ||
| moz.build | ||
| moz.configure | ||
| sub.configure | ||