Closed Bug 1813168 Opened 2 years ago Closed 2 years ago

Creating a WebAuthn credential can "leak the world"

Categories

(Core :: DOM: Web Authentication, defect, P3)

Product:
Core
Component:
DOM: Web Authentication
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
111 Branch
Tracking Flags:
Tracking Status
firefox111 --- fixed

People

(Reporter: jschanck, Assigned: jschanck)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

Bug 1813168 - Add missing cycle collection traverse method to PublicKeyCredential. r=keeler
(deleted), text/x-phabricator-request
Details

Creating a WebAuthn credential in a debug build and closing the window can result in WARNING: YOU ARE LEAKING THE WORLD (at least one JSRuntime and everything alive inside it, that is) AT JS_ShutDown TIME. FIX THIS! being logged to the console.

To reproduce:

FWIW, I wasn't able to reproduce on https://webauthn.io or https://demo.yubico.com. Also, this doesn't seem to be a duplicate of Bug 1540885 as the make credential request has to finish.

After following the instructions on https://firefox-source-docs.mozilla.org/performance/memory/heap_scan_mode.html, I think I tracked this down to a reference held by the PublicKeyCredential created in FinishMakeCredential. The relevant output from block_analyzer.py is below.

0x7f0dda4a6500 size = 392 bytes at byte offset 376
  mozilla::dmd::StackTrace::Get(mozilla::dmd::Thread*) (./mozilla-unified/memory/replace/dmd/DMD.cpp:664)
  mozilla::dmd::AllocCallback(void*, unsigned long, mozilla::dmd::Thread*) (./mozilla-unified/memory/replace/dmd/DMD.cpp:1025)
  replace_malloc(unsigned long) (./mozilla-unified/memory/replace/dmd/DMD.cpp:1093)
  moz_xmalloc (./mozilla-unified/memory/mozalloc/mozalloc.cpp:53)
  mozilla::dom::WebAuthnManager::FinishMakeCredential(unsigned long const&, mozilla::dom::WebAuthnMakeCredentialResult const&) (./mozilla-unified/dom/webauthn/WebAuthnManager.cpp:735)
  mozilla::dom::WebAuthnTransactionChild::RecvConfirmRegister(unsigned long const&, mozilla::dom::WebAuthnMakeCredentialResult const&) (./mozilla-unified/dom/webauthn/WebAuthnTransactionChild.cpp:36)
  mozilla::dom::PWebAuthnTransactionChild::OnMessageReceived(IPC::Message const&) (./mozilla-unified/obj-x86_64-pc-linux-gnu/ipc/ipdl/PWebAuthnTransactionChild.cpp:0)
  mozilla::ipc::PBackgroundChild::OnMessageReceived(IPC::Message const&) (./mozilla-unified/obj-x86_64-pc-linux-gnu/ipc/ipdl/PBackgroundChild.cpp:6305)

0x7f0debd9dd40 size = 240 bytes at byte offset 120
  mozilla::dmd::StackTrace::Get(mozilla::dmd::Thread*) (./mozilla-unified/memory/replace/dmd/DMD.cpp:664)
  mozilla::dmd::AllocCallback(void*, unsigned long, mozilla::dmd::Thread*) (./mozilla-unified/memory/replace/dmd/DMD.cpp:1025)
  replace_malloc(unsigned long) (./mozilla-unified/memory/replace/dmd/DMD.cpp:1093)
  moz_xmalloc (./mozilla-unified/memory/mozalloc/mozalloc.cpp:53)
  bool mozilla::SegmentedVector<mozilla::JSHolderMap::Entry, (unsigned long)256, InfallibleAllocPolicy>::Append<mozilla::JSHolderMap::Entry>(mozilla::JSHolderMap::Entry&&) (./mozilla-unified/obj-x86_64-pc-linux-gnu/dist/include/mozilla/SegmentedVector.h:162)
  mozilla::JSHolderMap::Put(void*, nsScriptObjectTracer*, JS::Zone*) (./mozilla-unified/xpcom/base/CycleCollectedJSRuntime.cpp:647)
  mozilla::cyclecollector::HoldJSObjectsImpl(nsISupports*) (./mozilla-unified/xpcom/base/HoldDropJSObjects.cpp:0)
  NS_NewChildProcessMessageManager(nsISupports**) (./mozilla-unified/dom/base/nsFrameMessageManager.cpp:1599)

0x7f0dd796c400 size = 640 bytes at byte offset 608
  mozilla::dmd::StackTrace::Get(mozilla::dmd::Thread*) (./mozilla-unified/memory/replace/dmd/DMD.cpp:664)
  mozilla::dmd::AllocCallback(void*, unsigned long, mozilla::dmd::Thread*) (./mozilla-unified/memory/replace/dmd/DMD.cpp:1025)
  replace_malloc(unsigned long) (./mozilla-unified/memory/replace/dmd/DMD.cpp:1093)
  moz_xmalloc (./mozilla-unified/memory/mozalloc/mozalloc.cpp:53)
  mozilla::detail::HashTable<mozilla::HashMapEntry<void*, mozilla::JSHolderMap::Entry*>, mozilla::HashMap<void*, mozilla::JSHolderMap::Entry*, mozilla::DefaultHasher<void*, void>, InfallibleAllocPolicy>::MapHashPolicy, InfallibleAllocPolicy>::createTable(InfallibleAllocPolicy&, unsigned int, mozi
  mozilla::detail::HashTable<mozilla::HashMapEntry<void*, mozilla::JSHolderMap::Entry*>, mozilla::HashMap<void*, mozilla::JSHolderMap::Entry*, mozilla::DefaultHasher<void*, void>, InfallibleAllocPolicy>::MapHashPolicy, InfallibleAllocPolicy>::changeTableSize(unsigned int, mozilla::detail::HashTab
  mozilla::detail::HashTable<mozilla::HashMapEntry<void*, mozilla::JSHolderMap::Entry*>, mozilla::HashMap<void*, mozilla::JSHolderMap::Entry*, mozilla::DefaultHasher<void*, void>, InfallibleAllocPolicy>::MapHashPolicy, InfallibleAllocPolicy>::remove(mozilla::detail::HashTable<mozilla::HashMapEntr
  mozilla::JSHolderMap::Extract(void*) (./mozilla-unified/xpcom/base/CycleCollectedJSRuntime.cpp:603)
Assignee: nobody → jschanck
Status: NEW → ASSIGNED
Pushed by jschanck@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/58a336fdc050 Add missing cycle collection traverse method to PublicKeyCredential. r=keeler

https://hg.mozilla.org/mozilla-central/rev/58a336fdc050

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox111: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 111 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: