Closed
Bug 1008400
Opened 10 years ago
Closed 10 years ago
DataStore does not invoke DETH Traverse/Unlink
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla32
| Tracking | Status | |
|---|---|---|
| firefox30 | --- | unaffected |
| firefox31 | --- | unaffected |
| firefox32 | --- | fixed |
| firefox-esr24 | --- | unaffected |
| b2g-v1.2 | --- | unaffected |
| b2g-v1.3 | --- | unaffected |
| b2g-v1.3T | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | fixed |
People
(Reporter: mccr8, Assigned: mccr8)
References
(Blocks 1 open bug)
Details
(Keywords: regression, sec-high)
Attachments
(1 file)
|
1.22 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
Data store is declared with: NS_DECL_CYCLE_COLLECTION_CLASS_INHERITED(DataStore, DOMEventTargetHelper) But then the actual declaration of Traverse/Unlink is: NS_IMPL_CYCLE_COLLECTION(DataStore, mStore) ...so the CC isn't going to actually trace the wrapper cache. I'm not sure how bad this really is, because I think the wrapper will still be rooted in the GC, but I'm not entirely sure of what the consequences are, and it seems like this recently landed, so we should just backport it. Found while working on a patch for bug 1008348.
|
Assignee | |
Comment 1•10 years ago
|
||
try run: https://tbpl.mozilla.org/?tree=Try&rev=6cabd1d69357
Attachment #8420648 -
Flags: review?(bugs)
|
||
Updated•10 years ago
|
Attachment #8420648 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Updated•10 years ago
|
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
status-firefox-esr24:
--- → unaffected
|
||
Comment 2•10 years ago
|
||
> because I think the wrapper will still be rooted in the GC
But cycles through it won't be known to the cycle collector, then?
Seems like this must be either a GC hazard or a leak...
|
||
Comment 3•10 years ago
|
||
Thanks Andrew for catching this! \^O^/
|
|
Assignee | |
Comment 4•10 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #2) > Seems like this must be either a GC hazard or a leak... Yes, it will certainly cause a leak in certain situations. Not telling the CC about something holding JS alive can cause the CC to unlink something that is actually alive. By itself, that will just cause null-derefs, but in concert with another error (where a class leaves dangling pointers after it is unlinked) that can cause sec-crits.
|
|
Assignee | |
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a5f680de9c55
|
||
Comment 6•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a5f680de9c55
Status: NEW → RESOLVED
Closed: 10 years ago
status-b2g-v1.2:
--- → unaffected
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → fixed
status-firefox30:
--- → unaffected
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
|
||
Comment 7•10 years ago
|
||
Andrew, I'm assuming that since this was found via audit that we don't have a test case or steps to reproduce, so I'm marking qe-verify-. Feel free to let me know if that changes or if you'd like us to do more here. Thank you.
QA Whiteboard: qe-verify-
|
|
||
Updated•10 years ago
|
QA Whiteboard: qe-verify-
Flags: qe-verify-
|
||
Updated•10 years ago
|
Group: core-security
Keywords: regression
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•