Closed Bug 1356305 Opened 8 years ago Closed 8 years ago

stylo: heap write hazard from Gecko_MatchStringArgPseudo calling InitSystemMetrics

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: sfink, Assigned: manishearth)

References

Details

Attachments

(1 file)

Bug 1356305 - stylo: Initialize system metrics before traversing
(deleted), text/x-review-board-request
bholley
: review+
Details
[24.05s] #50 Analyzing Gecko_MatchStringArgPseudo ... Error: Variable assignment _ZL14sSystemMetrics$nsCSSRuleProcessor.cpp:nsTArray<nsCOMPtr<nsIAtom> >* sSystemMetrics Location: _ZL17InitSystemMetricsv$nsCSSRuleProcessor.cpp:uint8 InitSystemMetrics() @ https://searchfox.org/mozilla-central/source/layout/style/nsCSSRuleProcessor.cpp#1069 Stack Trace: _ZN18nsCSSRuleProcessor15HasSystemMetricEP7nsIAtom$uint8 nsCSSRuleProcessor::HasSystemMetric(nsIAtom*) @ https://searchfox.org/mozilla-central/source/layout/style/nsCSSRuleProcessor.cpp#1216 _ZN18nsCSSRuleProcessor19StringPseudoMatchesEPKN7mozilla3dom7ElementENS0_18CSSPseudoClassTypeEPKDsPK11nsIDocumentbNS0_11EventStatesEbPbSC_$uint8 nsCSSRuleProcessor::StringPseudoMatches(mozilla::dom::Element*, uint8, uint16*, nsIDocument*, uint8, mozilla::EventStates, uint8, uint8*, uint8*) @ https://searchfox.org/mozilla-central/source/layout/style/nsCSSRuleProcessor.cpp#1702 ### SafeArguments: <arg6> <arg7> <arg8> Gecko_MatchStringArgPseudo @ https://searchfox.org/mozilla-central/source/layout/style/ServoBindings.cpp#586 ### SafeArguments: <arg3>
Assignee: nobody → manishearth
Priority: -- → P1
Comment on attachment 8858178 [details] Bug 1356305 - stylo: Initialize system metrics before traversing https://reviewboard.mozilla.org/r/130118/#review132784 r=me with those two fixes. ::: gfx/thebes/gfxUserFontSet.h:178 (Diff revision 2) > friend class gfxUserFontEntry; > friend class gfxOTSContext; > > public: > > - NS_INLINE_DECL_REFCOUNTING(gfxUserFontSet) > + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(gfxUserFontSet) This should go away. ::: layout/style/nsCSSRuleProcessor.cpp:1064 (Diff revision 2) > -static bool > -InitSystemMetrics() > +/* static */ bool > +nsCSSRuleProcessor::InitSystemMetrics() > { > NS_ASSERTION(!sSystemMetrics, "already initialized"); > > sSystemMetrics = new nsTArray< nsCOMPtr<nsIAtom> >; > NS_ENSURE_TRUE(sSystemMetrics, false); |new| is infallible now so this whole thing can become a void function.
Attachment #8858178 - Flags: review+
Blocks: 1356458
We can't access prefs from nsLayoutStatics. Doing it in pre traverse instead https://treeherder.mozilla.org/#/jobs?repo=try&revision=49452e83d081654da49eb413a32135e0c5b3ad56
I changed the way I'm handling this since we can't do pref access in nsLayoutStatics, need re-review. Also, r?sfink on the analysis change. I don't think I can teach the analysis that we always call this function before traversal. Perhaps I should structure it differently (asserting that sSystemMetrics exists when off main thread)? It seems like the analysis won't understand the assert so I'd need to whitelist it anyway. https://treeherder.mozilla.org/#/jobs?repo=try&revision=06eb380377e1e7542f6533f3bc5c2aba4823d7bc
Attachment #8858178 - Flags: review?(sphink)
Pushed by manishearth@gmail.com: https://hg.mozilla.org/integration/autoland/rev/1e269a211fe7 stylo: Initialize system metrics before traversing; r=bholley
Blocks: 1356266
https://hg.mozilla.org/mozilla-central/rev/1e269a211fe7
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: