Closed Bug 1034380 Opened 10 years ago Closed 10 years ago

Potential assertion failure in MessagePort structured cloning

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla33

People

(Reporter: jmorton, Assigned: jmorton)

Details

Attachments

(1 file, 2 obsolete files)

0001-Bug-1034380-Prevent-MessagePort-transferable-callbac.patch
816 bytes, patch
Details | Diff | Splinter Review 
See http://mxr.mozilla.org/mozilla-central/source/dom/base/MessagePort.cpp#188

This callback should not return true and a null returnObject. If JS_WrapObject fails, this could happen.
Assignee: nobody → jmorton

        Attachment #8450687 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 8450687 [details] [diff] [review]
0001-Bug-1034380-Prevent-MessagePort-transferable-callbac.patch

This doesn't handle the case when "obj" is null.  It also relies on falling through out of our tag == SCTAG_DOM_MAP_MESSAGEPORT block, which is ok for now, but would get worse once we had more cases.

I'd prefer we just do early returns of false as needed:

  if (!obj) {
    retunr false;
  }

etc.

        Attachment #8450687 -
        Flags: review?(bzbarsky) → review-

    
    

    
  


  
Hopefully more like what you were thinking.

        Attachment #8450687 -
        Attachment is obsolete: true

        Attachment #8451769 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 8451769 [details] [diff] [review]
0001-Bug-1034380-Prevent-MessagePort-transferable-callbac.patch

Looks great, thanks.  r=me.

        Attachment #8451769 -
        Flags: review?(bzbarsky) → review+

    
  
Keywords: checkin-needed

    
    

    
  
hi,

could you provide a Try link. Suggestions for what to run if you haven't
yet can be found here:
https://wiki.mozilla.org/Sheriffing/How:To:Recommended_Try_Practices
Keywords: checkin-needed

    
  
Keywords: checkin-needed

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/61a09b7b7e9d
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: