Closed
Bug 1044205
Opened 10 years ago
Closed 10 years ago
XPCWrappedNativeScope::TraceSelf isn't invoked for Sandboxes
Categories
(Core :: XPConnect, defect)
Tracking
()
VERIFIED
FIXED
mozilla34
People
(Reporter: bholley, Assigned: bholley)
References
Details
(Keywords: sec-critical, Whiteboard: [embargo until esr24 eol][adv-main32-][adv-esr31.1-])
Attachments
(2 files)
878 bytes,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
4.33 KB,
patch
|
billm
:
review+
Sylvestre
:
approval-mozilla-aurora+
Sylvestre
:
approval-mozilla-beta+
Sylvestre
:
approval-mozilla-esr31+
|
Details | Diff | Splinter Review |
TraceSelf traces the various global objects we have hanging off the XPCWrappedNativeScope - the global object, the XBL scopes, and various addon scopes. And since bug 973780 (FF30), we've started also using it to trace the JS::WeakMapPtr for Xray expandos. Each WN's trace hook invokes TraceSelf() on its scope, so WN globals are safe. Additionally, CreateGlobalOptions<nsGlobalWindow>::TraceGlobal invokes it, so DOM Windows are safe (on new or old bindings). But the global trace hook for Sandboxes just invokes TraceXBLGlobal, which doesn't invoke TraceSelf. So if we have a Sandbox that doesn't have a single WN in its scope _and_ places Xray expandos, we're in trouble. I bet this is what's causing bug 1039547. The fix here should actually be relatively simple. Let me try writing it up.
Assignee | ||
Comment 1•10 years ago
|
||
Attachment #8463600 -
Flags: review?(wmccloskey)
Assignee | ||
Comment 2•10 years ago
|
||
Attachment #8463601 -
Flags: review?(wmccloskey)
Assignee | ||
Comment 3•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=593c9aaa05c6
Attachment #8463600 -
Flags: review?(wmccloskey) → review+
Attachment #8463601 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 4•10 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/a7e93657a42f remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/87d020110245 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/5e251fca362f
Comment 5•10 years ago
|
||
Does this affect all versions back to 30? If so, as a sec-crit bug, it should have gotten sec-approval before landing.
Assignee | ||
Comment 6•10 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #5) > Does this affect all versions back to 30? If so, as a sec-crit bug, it > should have gotten sec-approval before landing. Doh - sorry for the slip-up. :-( For what it's worth, I'm pretty sure landing it right now would have been the eventual conclusion. We need to get this on trunk, see if it fixes the very conspicuous (and public) stability issues in bug 1039547, and get it backported.
status-b2g-v2.0:
--- → affected
status-b2g-v2.1:
--- → affected
status-firefox31:
--- → affected
status-firefox32:
--- → affected
status-firefox33:
--- → affected
status-firefox34:
--- → affected
status-firefox-esr24:
--- → affected
status-firefox-esr31:
--- → affected
tracking-firefox32:
--- → ?
tracking-firefox33:
--- → ?
tracking-firefox34:
--- → ?
tracking-firefox-esr31:
--- → ?
Assignee | ||
Comment 7•10 years ago
|
||
Kairo, when this hits central, can you check whether it fixes the crashes in bug 1039547?
Flags: needinfo?(kairo)
Updated•10 years ago
|
tracking-firefox-esr24:
--- → +
Comment 8•10 years ago
|
||
> see if it fixes the very conspicuous (and public) stability issues in bug 1039547, and get it backported.
Ah, yeah, that makes sense.
https://hg.mozilla.org/mozilla-central/rev/a7e93657a42f https://hg.mozilla.org/mozilla-central/rev/87d020110245 https://hg.mozilla.org/mozilla-central/rev/5e251fca362f
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla34
Comment 10•10 years ago
|
||
Comment 5 says this is 30+, but esr24 is marked as affected?
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → affected
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 11•10 years ago
|
||
(In reply to Ryan VanderMeulen [:RyanVM UTC-4] from comment #10) > Comment 5 says this is 30+, but esr24 is marked as affected? The underlying issue still exists there, but the factors that make it more dangerous (tracing non-globals + GGC) are more recent. Backporting this to esr24 is probably more risk than it's worth though - I think we should just wontfix it there and embargo for 10 weeks.
Flags: needinfo?(bobbyholley)
Whiteboard: [embargo until esr24 eol]
Updated•10 years ago
|
Comment 12•10 years ago
|
||
I don't see any of these crashes after the 7/28 build, so it looks like this worked. Please request aurora and beta approval.
Flags: needinfo?(kairo)
Assignee | ||
Comment 13•10 years ago
|
||
Comment on attachment 8463601 [details] [diff] [review] Part 2 - Invoke XPCWrappedNativeScope::TraceSelf from TraceXPCGlobal. v1 This approval request applies to all the patches in this bug that landed on m-c (including the one that's not on bugzilla). [Approval Request Comment] Bug caused by (feature/regressing bug #): longstanding, but exacerbated by bug 973780 User impact if declined: Crashes. This is the top stability issue on 33 (see the dependent bug) Testing completed: Landed on m-c, eliminated the crashes. Risk to taking this patch (and alternatives if risky): Medium-low risk - this patch changes GC behavior, but does so in a pretty safe way. No alternatives. String or UUID changes made by this patch: None
Attachment #8463601 -
Flags: approval-mozilla-beta?
Attachment #8463601 -
Flags: approval-mozilla-b2g32?
Attachment #8463601 -
Flags: approval-mozilla-b2g30?
Attachment #8463601 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 14•10 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #13) > User impact if declined: Crashes. This is the top stability issue on 33 (see > the dependent bug) Er, crashes _and_ sec-crits.
Comment 15•10 years ago
|
||
Comment on attachment 8463601 [details] [diff] [review] Part 2 - Invoke XPCWrappedNativeScope::TraceSelf from TraceXPCGlobal. v1 Bobby, what about ESR 31?
Attachment #8463601 -
Flags: approval-mozilla-beta?
Attachment #8463601 -
Flags: approval-mozilla-beta+
Attachment #8463601 -
Flags: approval-mozilla-aurora?
Attachment #8463601 -
Flags: approval-mozilla-aurora+
Flags: needinfo?(bobbyholley)
Assignee | ||
Comment 16•10 years ago
|
||
Comment on attachment 8463601 [details] [diff] [review] Part 2 - Invoke XPCWrappedNativeScope::TraceSelf from TraceXPCGlobal. v1 Sorry, meant to flag that as well.
Attachment #8463601 -
Flags: approval-mozilla-esr31?
Flags: needinfo?(bobbyholley)
Updated•10 years ago
|
Attachment #8463601 -
Flags: approval-mozilla-b2g32?
Attachment #8463601 -
Flags: approval-mozilla-b2g30?
Updated•10 years ago
|
Attachment #8463601 -
Flags: approval-mozilla-esr31? → approval-mozilla-esr31+
Assignee | ||
Comment 17•10 years ago
|
||
Ryan, is there a reason you cancelled the b2g approval requests?
Flags: needinfo?(ryanvm)
Comment 18•10 years ago
|
||
32 is beta right now, so anything on beta gets merged to b2g32. (I don't know about the b2g30 part of that.)
Comment 19•10 years ago
|
||
Comment 18 and sec-crits have auto-approval for b2g30. Bobby, can you jump on IRC and ping me quick?
Flags: needinfo?(ryanvm)
Comment 20•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/59824d8a19aa https://hg.mozilla.org/releases/mozilla-aurora/rev/29467b1808ed https://hg.mozilla.org/releases/mozilla-aurora/rev/450f2f3dc306 https://hg.mozilla.org/releases/mozilla-beta/rev/a979f156f8d1 https://hg.mozilla.org/releases/mozilla-beta/rev/7fb3c0ed4417 https://hg.mozilla.org/releases/mozilla-beta/rev/72c66ced503e Needs rebasing for 30/31.
Assignee | ||
Comment 21•10 years ago
|
||
remote: https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/bd707e8210db remote: https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/bab00ee58d07 remote: https://hg.mozilla.org/releases/mozilla-b2g30_v1_4/rev/60d3725443a5
Comment 22•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/a979f156f8d1 https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/7fb3c0ed4417 https://hg.mozilla.org/releases/mozilla-b2g32_v2_0/rev/72c66ced503e
Assignee | ||
Comment 23•10 years ago
|
||
remote: https://hg.mozilla.org/releases/mozilla-esr31/rev/a0d2de65ad9f remote: https://hg.mozilla.org/releases/mozilla-esr31/rev/143ab340f7a2 remote: https://hg.mozilla.org/releases/mozilla-esr31/rev/36c0b5bf5bd0
Comment 24•10 years ago
|
||
Marking this so the QA team will track it for verification in the current cycle.
Keywords: verifyme
Comment 25•10 years ago
|
||
There are no longer reports of these crash signatures on builds since this landed, at least on desktop.
Status: RESOLVED → VERIFIED
Keywords: verifyme
Comment 26•10 years ago
|
||
Setting flags based on Tracy's comment above.
Updated•10 years ago
|
Whiteboard: [embargo until esr24 eol] → [embargo until esr24 eol][adv-main32-][adv-esr31.1-]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•