At the moment Shape::fixupDictionaryShapeAfterMovingGC checks whether listp points into the nursery and if so ignores it. However the nursery could have been resized in the mean time which would cause this check to fail when it should have succeeded. We would then go on to dereference a pointer to freed memory. This was found by fuzz testing of shu's changes in bug 1263355.

Patch to maintain a list of dictionary mode objects that are in the nursery. When the nursery is collected we sweep the list and clear the pointer in any shapes which have a pointer into a now-dead object.

Comment on attachment 8781600 [details] [diff] [review] bug1295551-sweep-dict-objects Review of attachment 8781600 [details] [diff] [review]: ----------------------------------------------------------------- Ah, our oldest nemesis once again. ::: js/src/gc/Nursery.h @@ +355,5 @@ > struct SweepAction; > SweepAction* sweepActions_; > > + using NativeObjectVector = Vector<NativeObject*, 0, SystemAllocPolicy>; > + NativeObjectVector dictionaryModeObjects_; If this is just a vector, it seems like we could use sweepActions_ for this. ::: js/src/vm/Shape.cpp @@ +500,5 @@ > return false; > } > > + if (IsInsideNursery(self) && > + !cx->asJSContext()->gc.nursery.queueDictionaryModeObjectToSweep(self)) Something like: if (IsInsideNursery(self)) { bool ok = queueSweepAction([](void* obj){ static_cast<NativeObject*>(obj)->sweepDictionaryListPointer(); }, self); if (!ok) { ReportOutOfMemory(cx); ... Note that I'm fine with either: having the more specific mechanism makes understanding this specific case easier, while having fewer mechanisms makes understanding the GC in general easier.

(In reply to Terrence Cole [:terrence] from comment #2) > Note that I'm fine with either: having the more specific mechanism makes > understanding this specific case easier, while having fewer mechanisms makes > understanding the GC in general easier. Cheers, I think I'm going to leave it as it is. The sweep action mechanism is generic by necessity, and having a specific mechanism for this case will be faster if there turn out to be a lot of dictionary mode objects.

This was introduced by bug 1291292 since there's now no longer a fixed nursery area.