Open
Bug 1084626
Opened 10 years ago
Updated 2 years ago
Remove support for Chrome -> Content leaks through debugger objects
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
NEW
People
(Reporter: mccr8, Unassigned)
References
(Blocks 3 open bugs)
Details
(Whiteboard: [MemShrink:P2])
Attachments
(2 files)
|
25.21 KB,
patch
|
sfink
:
review+
|
Details | Diff | Splinter Review |
|
27.70 KB,
patch
|
Details | Diff | Splinter Review |
js::NukeCrossCompartmentWrappers only does things to wrappers that have kind CrossCompartmentKey::ObjectWrapper, but (aside from the deliberately avoid strings) there is also DebuggerScript, DebuggerSource, DebuggerObject, DebuggerEnvironment. As bug 1084605 shows, this is a bad situation, so we should extend support for them there. This is probably only a danger for people who use devtools, but that's still really bad.
|
Reporter | |
Comment 1•10 years ago
|
||
Thanks to billm for pointing out the relevant bits of code to me.
|
||
Updated•10 years ago
|
Assignee: nobody → continuation
Whiteboard: [MemShrink] → [MemShrink:P1]
|
|
Reporter | |
Comment 2•10 years ago
|
||
The obvious fix here of calling NukeCompartmentWrappers on all non-string CCWs didn't fix the leak: the Debugger object was still holding a reference to content.
|
|
Reporter | |
Comment 3•9 years ago
|
||
Is this something you could look into, Shu? Thanks.
Assignee: continuation → nobody
Flags: needinfo?(shu)
|
||
Comment 4•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #3) > Is this something you could look into, Shu? Thanks. Judging by comments 5 and 6 on bug 1084605, and comment 2 here that says nuking non-string CCWs didn't fix the leak: is this a Debugger issue, or a frontend issue? If it's the latter, I probably won't be of much help.
|
|
Reporter | |
Comment 5•9 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #4) > Judging by comments 5 and 6 on bug 1084605, and comment 2 here that says > nuking non-string CCWs didn't fix the leak: is this a Debugger issue, or a > frontend issue? If it's the latter, I probably won't be of much help. There are two issues. First, the dev tools front end code shouldn't keep alive this debugger object, which is what bug 1084605 is about. Second, Gecko shouldn't let debugger code keep alive closed pages, which is what this bug is about.
|
|
||
Comment 6•9 years ago
|
||
Ah ha, I figured out why calling NukeCCWs on all-non-string CCWs didn't fix the leak. UncheckedUnwrap doesn't know how to unwrap the various Debugger* wrappers, so they act as identity on the Debugger objects. This means that the target compartment will *never* match, because the Debugger objects obviously are compartmentalized to the chrome compartment, not the outer window that just closed. The fix here would be 1) Teach UncheckedUnwrap to unwrap the various Debugger wrappers. I'm fairly sure that you can end up with Debugger wrappers of CCWs. 2) Teach NukeCrossCompartmentWrapper how to nuke Debugger wrappers with a sentinel dead value. 3) Make sure that all the Debugger wrappers check their referents being the sentinel value and throw.
Flags: needinfo?(shu)
|
||
Comment 7•9 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #6) > 1) Teach UncheckedUnwrap to unwrap the various Debugger wrappers. I'm > fairly sure that you can end up with Debugger wrappers of CCWs. You definitely can: wrappers can affect the debuggee's view of an object, so Debugger must preserve that behavior. We have tests for this. > 2) Teach NukeCrossCompartmentWrapper how to nuke Debugger wrappers with a > sentinel dead value. > 3) Make sure that all the Debugger wrappers check their referents being the > sentinel value and throw. Sounds perfect.
|
|
||
Comment 8•9 years ago
|
||
Attachment #8546271 -
Flags: review?(jimb)
|
|
||
Comment 9•9 years ago
|
||
Comment on attachment 8546271 [details] [diff] [review] Hueyfix Debugger objects. Review of attachment 8546271 [details] [diff] [review]: ----------------------------------------------------------------- Switching review to sfink to ease review load on jimb.
Attachment #8546271 -
Flags: review?(jimb) → review?(sphink)
|
||
Comment 10•9 years ago
|
||
Comment on attachment 8546271 [details] [diff] [review] Hueyfix Debugger objects. Review of attachment 8546271 [details] [diff] [review]: ----------------------------------------------------------------- This stuff is crazy and scary, but it looks ok according to my myopic understanding of the JS engine. ::: js/src/proxy/CrossCompartmentWrapper.cpp @@ +488,5 @@ > AutoWrapperRooter wobj(cx, WrapperValue(e)); > JSObject *wrapped = UncheckedUnwrap(wobj); > > if (nukeReferencesToWindow == DontNukeWindowReferences && > wrapped->getClass()->ext.innerObject) If it's easy, you could hoist up this test into a shared ShouldNotNuke, but maybe it's not worth the trouble.
Attachment #8546271 -
Flags: review?(sphink) → review+
|
|
||
Comment 11•9 years ago
|
||
So hueyfixing Debugger objects makes dt fail, and I suppose exposes leaks: https://treeherder.mozilla.org/#/jobs?repo=try&revision=6d5c0261ff15 Can we get someone from devtools to look at those?
Flags: needinfo?(dcamp)
|
|
||
Comment 12•9 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #11) > So hueyfixing Debugger objects makes dt fail, and I suppose exposes leaks: > > https://treeherder.mozilla.org/#/jobs?repo=try&revision=6d5c0261ff15 > > Can we get someone from devtools to look at those? To see that they're leaks, open the log and grep for "can't access dead object".
|
|
||
Updated•9 years ago
|
Assignee: nobody → shu
|
|
||
Comment 13•9 years ago
|
||
On second thought I'm going to unassign myself from the bug. Bug 1120784 isn't really something I'm qualified to fix.
Assignee: shu → nobody
|
|
Reporter | |
Updated•9 years ago
|
Blocks: GhostWindows
|
|
||
Comment 14•8 years ago
|
||
Unrotted for testing.
|
||
Comment 15•8 years ago
|
||
(In reply to Shu-yu Guo [:shu] from comment #11) > So hueyfixing Debugger objects makes dt fail, and I suppose exposes leaks: > > https://treeherder.mozilla.org/#/jobs?repo=try&revision=6d5c0261ff15 > > Can we get someone from devtools to look at those? Which tools' tests were failing? That link no longer points to anything.
|
|
||
Comment 16•8 years ago
|
||
(In reply to Nick Fitzgerald [:fitzgen] [⏰PDT; UTC-7] from comment #15) > (In reply to Shu-yu Guo [:shu] from comment #11) > > So hueyfixing Debugger objects makes dt fail, and I suppose exposes leaks: > > > > https://treeherder.mozilla.org/#/jobs?repo=try&revision=6d5c0261ff15 > > > > Can we get someone from devtools to look at those? > > Which tools' tests were failing? That link no longer points to anything. Unfortunately I don't remember, just that it was a close to every single one, probably because of how mochitests are run. Since they're run in one instance and tests are navigated from one to the next, stuff always leaks across navigations. Someone would need to submit un-bitrot the patch and submit another try run.
|
||
Comment 17•7 years ago
|
||
Dropping to P2 as this is isolated to the debugger.
Whiteboard: [MemShrink:P1] → [MemShrink:P2]
|
||
Updated•4 years ago
|
Blocks: js-debugger
|
|
Reporter | |
Updated•3 years ago
|
Blocks: dt-leak-reload
|
||
Updated•2 years ago
|
Severity: normal → S3
|
||
Comment 18•2 years ago
|
||
Clear a needinfo that is pending on an inactive user.
Inactive users most likely will not respond; if the missing information is essential and cannot be collected another way, the bug maybe should be closed as INCOMPLETE.
For more information, please visit auto_nag documentation.
Flags: needinfo?(dave.camp)
You need to log in
before you can comment on or make changes to this bug.
Description
•