Argh! I keep finding Firefox using pointers from poisoned memory, only to see them stop reproducing while I try to reduce the repro :/
-
-
finer control of garbage collection would solve that (i.e. window.CollectGarbage in MSIE), but Firefox doesn't have that
-
build and install https://github.com/MozillaSecurity/funfuzz/tree/master/dom/extension …, all kinds of GC control. Won't help an exploit but valid for bounties.
-
I tried that earlier but couldn't get it to work. looking for something that takes 5 mins to integrate to existing fuzzing.
-
rather than setup Firefox build environment, build that, get it installed on my bots and use it in my fuzzers.
-
(my experience of that there prolly won't be docs but there will be weird errors and inexplicable failures, so it'll take a week)
End of conversation
New conversation -
-
-
I've seen this happen before, due to other objects in the DOM affecting garbage collection
-
Did you find a solution?
-
made a tool to enum dom objects related to targeted trigger & then remove 'em systematically. Still only partially helped.
-
Not sure I follow - I would expect a solution would be to force garbage collection more frequently or at specific points?
-
i.e. by alloc/release a large number of objects? not knowing the FF gc specs, I haven't figured out how to trigger exactly
-
A bit of debugging suggests "new Uint32Array(0x2000000);" might do the trick, but I have no way to make sure.
-
that makes sense
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.