Closed
Bug 644325
Opened 13 years ago
Closed 13 years ago
addMessageListener with an function object causes a compartment mismatch
Categories
(Core :: IPC, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jdm, Assigned: jdm)
References
Details
(Keywords: assertion)
Attachments
(2 files, 1 obsolete file)
6.79 KB,
text/plain
|
Details | |
2.01 KB,
patch
|
mrbkap
:
review+
christian
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Dunno when this broke, but it seems that any instance of |addMessageListener("name", function(m) {})| asserts hard. Looking at the failing check, apparently the function object is in a different compartment than the context and wrapped thisValue. To reproduce, firefox -no-remote -P blank -chrome chrome://global/content/test-ipc.xul and click the add/remove message listener button.
Assignee | ||
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
I have no idea how to fix compartment mismatch problems.
Assignee | ||
Comment 3•13 years ago
|
||
Attachment #521319 -
Flags: review?(jst)
Comment 4•13 years ago
|
||
I saw this in an add-on was I am building. With the patch applied I see no crashes and the message is delivered correctly.
Whiteboard: [fennec-rc2?]
Comment 5•13 years ago
|
||
is this showing up on crash stats?
Comment 6•13 years ago
|
||
(In reply to comment #5) > is this showing up on crash stats? Not that I could find. I am wondering if using a global message manager is causes this compartment issue. I am building a bootstrapped addon, so I don't have access to a window when loading the content script. So I am using a global message manager. Josh's STR for the crash might not jive with my theory though. Given that we don't see these crashes in our browser-chrome tests, which use addMessageListener and JS funcs, maybe this is less of a critical issue than I originally thought.
Whiteboard: [fennec-rc2?]
Assignee | ||
Comment 7•13 years ago
|
||
My STR jives with your theory. The assertion I was seeing was in the content process using the global message manager.
Updated•13 years ago
|
Assignee: nobody → josh
tracking-fennec: ? → 2.0-
Whiteboard: [fennec-4.1?]
Comment 8•13 years ago
|
||
Please land on mozilla-central, then we can talk about whether it blocks a stability/security update
blocking2.0: ? → ---
Comment 9•13 years ago
|
||
Comment on attachment 521319 [details] [diff] [review] Wrap message receiver to avoid compartment errors. This looks ok to me, but I'm not 100% sure we end up in the desired compartment here. Blake, we end up entering the this object's compartment and wrapping both the function and its values. I'm wondering if we should simply enter the function's compartment here, and wrap the this object instead? This should all be chrome code afaict.
Attachment #521319 -
Flags: review?(mrbkap)
Attachment #521319 -
Flags: review?(jst)
Attachment #521319 -
Flags: review+
Comment 10•13 years ago
|
||
So, I'm a little confused by the compartment stuff in this function. I suspect that, like jst says, this mostly works because most of the compartments in play here are chrome. It seems like what should happen is that we should enter |object|'s compartment as soon as we do the JSAutoEnterRequest. Also, the scope to the calls for WrapNative should probably either be |object| or JS_GetGlobalForObject(cx, object) (that has the effect of doing the WrapObject for you). My only concern then would be aObjectsArray, but if that's always in the chrome compartment, then you probably don't have to worry about it. Am I off-base? If so, I'll stamp r+.
Assignee | ||
Comment 11•13 years ago
|
||
I do not believe aObjectsArray is ever non-null right now. That may change with bsmedberg's work to add handles to messages, but that is not landing imminently. Therefore, I believe that aObjectsArray is always in the chrome compartment.
Comment 12•13 years ago
|
||
To be clear, the aObjectsArray question was in addition to the other stuff I said.
Assignee | ||
Comment 13•13 years ago
|
||
Right; I was just clarifying my about the one bit that you seemed unsure about. The rest sounds sensible, and I'd whip up a patch if I actually had a machine on which I could build and a recent tree. Unfortunately, someone else is probably going to have to do it if this patch is going to be written before June.
Updated•13 years ago
|
Attachment #521319 -
Flags: review?(mrbkap)
Updated•13 years ago
|
tracking-fennec: - → 7+
Whiteboard: [fennec-4.1?]
Updated•13 years ago
|
Keywords: checkin-needed
Comment 14•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/7e3efb1073a9
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Comment 15•13 years ago
|
||
Olli, based on Blake's comments in comment 10, I don't think the attached patch should have landed. I'm uploading a more correct patch imminently.
Assignee | ||
Updated•13 years ago
|
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Assignee | ||
Comment 16•13 years ago
|
||
Attachment #521319 -
Attachment is obsolete: true
Attachment #532029 -
Flags: review?(mrbkap)
Comment 17•13 years ago
|
||
Oh. Sorry. I needed the patch since test.xul didn't work without it.
Updated•13 years ago
|
Keywords: checkin-needed
Comment 18•13 years ago
|
||
Comment on attachment 532029 [details] [diff] [review] Patch Looks good. Thanks.
Attachment #532029 -
Flags: review?(mrbkap) → review+
Comment 19•13 years ago
|
||
jdm asked for some testing of the patch in #mobile. I did about 15 min of browsing without issue. Is there something specific we should look for in the build? http://people.mozilla.com/tmp/fennec-644325-6.0a1.en-US.eabi-arm.apk
Assignee | ||
Comment 20•13 years ago
|
||
I just wanted to make sure that nothing else seemed terribly broken by the changes, since I tested the case that this was originally failing on. When somebody pushes, please backout 7e3efb1073a9 and push this patch instead.
Keywords: checkin-needed
Whiteboard: [read comment 20 before pushing]
Assignee | ||
Comment 21•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/5a47cc68c631 - the backout http://hg.mozilla.org/mozilla-central/rev/3ff03c212c7f - the new, correct patch
Status: REOPENED → RESOLVED
Closed: 13 years ago → 13 years ago
Keywords: checkin-needed
Resolution: --- → FIXED
Whiteboard: [read comment 20 before pushing]
Assignee | ||
Comment 22•13 years ago
|
||
Comment on attachment 532029 [details] [diff] [review] Patch This fixes a crash for certain uses of the API we expect addons to use.
Attachment #532029 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 23•13 years ago
|
||
Risk: it's known that this patch does cause other crashes which are understood fixed by the approved-but-dependent bug 664821. Reward: this fixes a crash in a well-understood way which can be triggered by extension authors.
Assignee | ||
Comment 24•13 years ago
|
||
Typo: comment 23 should have read "understood AND fixed"
Comment 25•13 years ago
|
||
Comment on attachment 532029 [details] [diff] [review] Patch Approved for releases/mozilla-aurora. Please land ASAP
Attachment #532029 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 26•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-aurora/rev/045847071b97
Updated•13 years ago
|
status-firefox6:
--- → fixed
status-firefox7:
--- → fixed
Comment 27•13 years ago
|
||
Hi Josh, In the bug description you said "To reproduce, firefox -no-remote -P blank -chrome chrome://global/content/test-ipc.xul and click the add/remove message listener button." I used that but there was only one button for adding listeners, the "test listener add/remove" button. Is this the button you were referring to? An alert with the "Expected echo message" string and an "OK" button was displayed when I clicked that button. Is this the expected result? If not, can you or anyone else please help me with a test case or with STR / guidelines that I can use to verify this fix? Thank you
Assignee | ||
Comment 28•13 years ago
|
||
Yes, that is the button I meant, and that is the expected result.
Comment 29•13 years ago
|
||
Verified fixed on: Mozilla/5.0 (X11; Linux x86_64; rv:6.0) Gecko/20100101 Firefox/6.0 Mozilla/5.0 (X11; Linux i686 on x86_64; rv:7.0) Gecko/20100101 Firefox/7.0 Used scenario: 1. Start Firefox like this: firefox -no-remote -P blank -chrome chrome://global/content/test-ipc.xul 2. Tap on the "test listener add/remove" button. An alert with the "Expected echo message" string and an "OK" button are displayed when I clicked that button.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•