Closed
Bug 919717
Opened 11 years ago
Closed 11 years ago
Make sure to have unmarked nsWrappedJS::mJSObj when weak WrappedJS becomes strong again
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla27
Tracking | Status | |
---|---|---|
firefox27 | --- | fixed |
firefox-esr17 | --- | unaffected |
firefox-esr24 | --- | wontfix |
b2g18 | --- | unaffected |
People
(Reporter: smaug, Assigned: smaug)
References
Details
(Keywords: sec-other, Whiteboard: [qa-][adv-main27-])
Attachments
(1 file)
(deleted),
patch
|
mccr8
:
review+
|
Details | Diff | Splinter Review |
nsWrappedJS has odd refcounting. When refcnt is 1, mJSObj isn't traced, but
nsWrappedJS is just Released in XPCJSRuntime::FinalizeCallback assuming the mJSObj is
about to be finalized.
But if refcnt is increased back to > 1, nsWrappedJS is added to AddWrappedJSRoot
and the next time tracing happens, mJSObj is traced the usual way.
However if finalization happens before tracing, nsWrappedJS may end up having refcnt
2 during finalization and mJSObj will keep pointing to the now-finalized object.
I've run the tests now 10+ times without problem
TEST_PATH=dom/plugins/test make -C ff_build mochitest-chrome
and initial results from https://tbpl.mozilla.org/?tree=Try&rev=a6a036903891
start to look good.
The patch adds also a null check to GetJSObject since it in principle should have one
(and used to have one until recently when khuey removed null-safe unmarkGray).
Attachment #808779 -
Flags: review?(continuation)
Assignee | ||
Comment 1•11 years ago
|
||
Not quite sure whether this bug needs to be security sensitive. I don't know how to trigger it from a web page given that it requires one to have weak ref to a wrappedJS, and web APIs don't have such things.
Assignee | ||
Comment 2•11 years ago
|
||
Perhaps the comment shouldn't be about unmarking gray,
but "Make sure the JSObject is exposed to active JS."
Comment 3•11 years ago
|
||
Bill and Jon may find this interesting. A weird corner case of the interaction of browser root tracing and incremental GC.
Comment 4•11 years ago
|
||
Comment on attachment 808779 [details] [diff] [review]
patch
Review of attachment 808779 [details] [diff] [review]:
-----------------------------------------------------------------
I guess this is really just implementing a write barrier (unmark gray during a GC triggers a write barrier I think). It makes me a little nervous about the other kinds of XPC roots we have, but I'd guess none of the rest have this weird weak reference lifetime stuff.
Attachment #808779 -
Flags: review?(continuation) → review+
Comment 5•11 years ago
|
||
I'll mark this -other unless you think this could be a real problem.
Keywords: sec-other
Assignee | ||
Comment 6•11 years ago
|
||
Comment 7•11 years ago
|
||
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox27:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla27
Updated•11 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
status-firefox-esr24:
--- → wontfix
Comment 1 is private:
false
Updated•11 years ago
|
Whiteboard: [qa-]
Updated•11 years ago
|
Whiteboard: [qa-] → [qa-][adv-main27-]
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•