🔗 Garbage Collection Intro

🔗 Steps

Run V8 in gdb with the --trace-gc flag to log garbage collection runs:

exercise run v8 --gdb --trace-gc

Create a JavaScript object and assign it to a variable. Get its address using %DebugPrint(). Break in the debugger and dump the object's memory.
Continue execution and remove all references to the object. For example:

let a = {};
%DebugPrint(a);
a = null; // Remove reference

Break in the debugger and dump the address' memory again. Notice how it has not changed.
Continue execution and trigger a debug garbage collection by running %CollectGarbage(0).
Break in the debugger and observe that the object's memory has been freed, indicated by the 0xdeadbeef pattern.

Noteinfo
For debug builds, free objects will have their memory overwritten with 0xdeadbeef or similar. This is not the case for release builds.

Bonus: What happens to objects that stay alive in V8 during a garbage collection run?
- you may discover behavior that does not make sense! it will be explained further on in the lecture
Bonus: What about in JSC?
- use exercise run jsc --logGC=true, and gc() instead of %CollectGarbage

Fundamentals of Browser Exploitation