Closed
Bug 1125005
Opened 9 years ago
Closed 9 years ago
Assertion failure: false (Try to avoid re-entering ReleaseNow!)
Categories
(Core :: Layout, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
Tracking | Status | |
---|---|---|
firefox38 | --- | fixed |
People
(Reporter: jya, Assigned: mccr8)
References
Details
(Keywords: sec-other, Whiteboard: [adv-main38-])
Attachments
(2 files)
138.87 KB,
text/plain
|
Details | |
1019 bytes,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
I am running the patch from bug 1124603 (without it central is unusable on my machine). (lldb) bt * thread #1: tid = 0x590e31, 0x0000000103619b63 XUL`mozilla::IncrementalFinalizeRunnable::ReleaseNow(this=0x000000011e17b400, aLimited=false) + 83 at CycleCollectedJSRuntime.cpp:1137, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0) * frame #0: 0x0000000103619b63 XUL`mozilla::IncrementalFinalizeRunnable::ReleaseNow(this=0x000000011e17b400, aLimited=false) + 83 at CycleCollectedJSRuntime.cpp:1137 frame #1: 0x000000010361a0f3 XUL`mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(this=0x0000000100475000, aType=FinalizeNow) + 83 at CycleCollectedJSRuntime.cpp:1218 frame #2: 0x000000010361849c XUL`mozilla::CycleCollectedJSRuntime::OnGC(this=0x0000000100475000, aStatus=JSGC_END) + 204 at CycleCollectedJSRuntime.cpp:1276 frame #3: 0x00000001036171d1 XUL`mozilla::CycleCollectedJSRuntime::GCCallback(aRuntime=0x0000000117ec4000, aStatus=JSGC_END, aData=0x0000000100475000) + 145 at CycleCollectedJSRuntime.cpp:749 frame #4: 0x00000001090e018f XUL`js::gc::GCRuntime::collect(this=0x0000000117ec4360, incremental=true, budget=(deadline = 9223372036854775807, counter = 9223372036854379390), reason=MAYBEGC) + 1151 at jsgc.cpp:6213 frame #5: 0x00000001090d43d3 XUL`js::gc::GCRuntime::startGC(this=0x0000000117ec4360, gckind=GC_NORMAL, reason=MAYBEGC, millis=0) + 179 at jsgc.cpp:6277 frame #6: 0x000000010908ede8 XUL`js::gc::GCRuntime::maybeGC(this=0x0000000117ec4360, zone=0x000000012a98f800) + 424 at jsgc.cpp:3246 frame #7: 0x000000010908ec1f XUL`JS_MaybeGC(cx=0x000000012b04d4e0) + 63 at jsapi.cpp:1666 frame #8: 0x0000000104dffd81 XUL`mozilla::dom::AutoEntryScript::~AutoEntryScript(this=0x00007fff5fbfae28) + 129 at ScriptSettings.cpp:560 frame #9: 0x0000000104dffdd5 XUL`mozilla::dom::AutoEntryScript::~AutoEntryScript(this=0x00007fff5fbfae28) + 21 at ScriptSettings.cpp:548 frame #10: 0x00000001044c2160 XUL`nsXPCWrappedJSClass::CallMethod(this=0x000000011e175ba0, wrapper=0x0000000121a49800, methodIndex=4, info_=0x0000000117e2b380, nativeParams=0x00007fff5fbfb040) + 11040 at XPCWrappedJSClass.cpp:1428 frame #11: 0x00000001044bad7b XUL`nsXPCWrappedJS::CallMethod(this=0x0000000121a49800, methodIndex=4, info=0x0000000117e2b380, params=0x00007fff5fbfb040) + 203 at XPCWrappedJS.cpp:532 frame #12: 0x000000010372adc6 XUL`PrepareAndDispatch(self=0x000000011e156720, methodIndex=4, args=0x00007fff5fbfb160, gpregs=0x00007fff5fbfb0e0, fpregs=0x00007fff5fbfb110) + 1654 at xptcstubs_x86_64_darwin.cpp:122 frame #13: 0x00000001037297db XUL`SharedStub + 91 frame #14: 0x00000001072f096e XUL`nsTreeBodyFrame::DestroyFrom(this=0x0000000131ca1948, aDestructRoot=0x0000000131bd1458) + 862 at nsTreeBodyFrame.cpp:311 frame #15: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131ca15d8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #16: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131ca1578, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #17: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131ca1578, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958 frame #18: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131ca1208, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #19: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131ca11a8, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #20: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131ca11a8, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958 frame #21: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131ca07b8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #22: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131ca0758, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #23: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131ca0758, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958 frame #24: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131c9a530, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #25: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131c9a4d0, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #26: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131c9a4d0, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958 frame #27: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131c99d60, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #28: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131c99d00, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #29: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131c99d00, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958 frame #30: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000121a56260, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #31: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000121a56200, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #32: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000121a56200, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958 frame #33: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131c94a70, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #34: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131c94a10, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #35: 0x0000000107298d1e XUL`nsBoxFrame::DestroyFrom(this=0x0000000131c94a10, aDestructRoot=0x0000000131bd1458) + 78 at nsBoxFrame.cpp:958 frame #36: 0x000000010715cf4f XUL`nsLineBox::DeleteLineList(aPresContext=0x0000000131a63000, aLines=0x0000000131c943c8, aDestructRoot=0x0000000131bd1458, aFrames=0x0000000131c943b0) + 335 at nsLineBox.cpp:391 frame #37: 0x000000010708fa84 XUL`nsBlockFrame::DestroyFrom(this=0x0000000131c94350, aDestructRoot=0x0000000131bd1458) + 164 at nsBlockFrame.cpp:323 frame #38: 0x000000010715cf4f XUL`nsLineBox::DeleteLineList(aPresContext=0x0000000131a63000, aLines=0x0000000131c93b18, aDestructRoot=0x0000000131bd1458, aFrames=0x0000000131c93b00) + 335 at nsLineBox.cpp:391 frame #39: 0x000000010708fa84 XUL`nsBlockFrame::DestroyFrom(this=0x0000000131c93aa0, aDestructRoot=0x0000000131bd1458) + 164 at nsBlockFrame.cpp:323 frame #40: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131bd21d0, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #41: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131bd2170, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #42: 0x00000001070b7cd5 XUL`nsCanvasFrame::DestroyFrom(this=0x0000000131bd2170, aDestructRoot=0x0000000131bd1458) + 501 at nsCanvasFrame.cpp:203 frame #43: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131bd24e8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #44: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131bd2488, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #45: 0x0000000107110f69 XUL`nsHTMLScrollFrame::DestroyFrom(this=0x0000000131bd2488, aDestructRoot=0x0000000131bd1458) + 73 at nsGfxScrollFrame.cpp:135 frame #46: 0x00000001070fed94 XUL`nsFrameList::DestroyFramesFrom(this=0x0000000131bd14b8, aDestructRoot=0x0000000131bd1458) + 132 at nsFrameList.cpp:54 frame #47: 0x000000010709006a XUL`nsContainerFrame::DestroyFrom(this=0x0000000131bd1458, aDestructRoot=0x0000000131bd1458) + 122 at nsContainerFrame.cpp:201 frame #48: 0x000000010700da0e XUL`nsIFrame::Destroy(this=0x0000000131bd1458) + 30 at nsIFrame.h:442 frame #49: 0x0000000106f8f5cf XUL`nsFrameManager::Destroy(this=0x000000013196a050) + 143 at nsFrameManager.cpp:136 frame #50: 0x0000000106f8f468 XUL`nsCSSFrameConstructor::WillDestroyFrameTree(this=0x000000013196a050) + 120 at nsCSSFrameConstructor.cpp:8466 frame #51: 0x000000010703793e XUL`PresShell::Destroy(this=0x0000000131b9e000) + 2526 at nsPresShell.cpp:1245 frame #52: 0x0000000106fd9a4b XUL`nsDocumentViewer::DestroyPresShell(this=0x000000012f579d00) + 251 at nsDocumentViewer.cpp:4424 frame #53: 0x0000000106fd1fb5 XUL`nsDocumentViewer::Destroy(this=0x000000012f579d00) + 1829 at nsDocumentViewer.cpp:1673 frame #54: 0x00000001076c2e38 XUL`nsSHEntryShared::RemoveFromBFCacheSync(this=0x0000000131968100) + 200 at nsSHEntryShared.cpp:242 frame #55: 0x00000001076c3867 XUL`nsSHEntryShared::~nsSHEntryShared(this=0x0000000131968100) + 231 at nsSHEntryShared.cpp:102 frame #56: 0x00000001076c39a5 XUL`nsSHEntryShared::~nsSHEntryShared(this=0x0000000131968100) + 21 at nsSHEntryShared.cpp:84 frame #57: 0x00000001076c3d15 XUL`nsSHEntryShared::Release(this=0x0000000131968100) + 501 at nsSHEntryShared.cpp:106 frame #58: 0x00000001076d247d XUL`nsRefPtr<nsSHEntryShared>::~nsRefPtr(this=0x000000012fbe85d8) + 45 at nsRefPtr.h:60 frame #59: 0x00000001076ced25 XUL`nsRefPtr<nsSHEntryShared>::~nsRefPtr(this=0x000000012fbe85d8) + 21 at nsRefPtr.h:58 frame #60: 0x00000001076bfd70 XUL`nsSHEntry::~nsSHEntry(this=0x000000012fbe85b0) + 272 at nsSHEntry.cpp:76 frame #61: 0x00000001076bfde5 XUL`nsSHEntry::~nsSHEntry(this=0x000000012fbe85b0) + 21 at nsSHEntry.cpp:73 frame #62: 0x00000001076c0265 XUL`nsSHEntry::Release(this=0x000000012fbe85b0) + 501 at nsSHEntry.cpp:82 frame #63: 0x0000000104e7709b XUL`nsCOMPtr<nsISHEntry>::~nsCOMPtr(this=0x0000000131adb670) + 91 at nsCOMPtr.h:391 frame #64: 0x0000000104e68a25 XUL`nsCOMPtr<nsISHEntry>::~nsCOMPtr(this=0x0000000131adb670) + 21 at nsCOMPtr.h:388 frame #65: 0x00000001076c4885 XUL`nsSHTransaction::~nsSHTransaction(this=0x0000000131adb640) + 53 at nsSHTransaction.cpp:22 frame #66: 0x00000001076c48b5 XUL`nsSHTransaction::~nsSHTransaction(this=0x0000000131adb640) + 21 at nsSHTransaction.cpp:21 frame #67: 0x00000001076c48d9 XUL`nsSHTransaction::~nsSHTransaction(this=0x0000000131adb640) + 25 at nsSHTransaction.cpp:21 frame #68: 0x00000001076c4c29 XUL`nsSHTransaction::Release(this=0x0000000131adb640) + 505 at nsSHTransaction.cpp:29 frame #69: 0x0000000103619806 XUL`ReleaseSliceNow(aSlice=11979, aData=0x000000011e17b420) + 246 at CycleCollectedJSRuntime.cpp:1091 frame #70: 0x0000000103619db2 XUL`mozilla::IncrementalFinalizeRunnable::ReleaseNow(this=0x000000011e17b400, aLimited=false) + 674 at CycleCollectedJSRuntime.cpp:1171 frame #71: 0x000000010361a2a6 XUL`mozilla::CycleCollectedJSRuntime::FinalizeDeferredThings(this=0x0000000100475000, aType=FinalizeNow) + 518 at CycleCollectedJSRuntime.cpp:1236 frame #72: 0x000000010361849c XUL`mozilla::CycleCollectedJSRuntime::OnGC(this=0x0000000100475000, aStatus=JSGC_END) + 204 at CycleCollectedJSRuntime.cpp:1276 frame #73: 0x00000001036171d1 XUL`mozilla::CycleCollectedJSRuntime::GCCallback(aRuntime=0x0000000117ec4000, aStatus=JSGC_END, aData=0x0000000100475000) + 145 at CycleCollectedJSRuntime.cpp:749 frame #74: 0x00000001090e018f XUL`js::gc::GCRuntime::collect(this=0x0000000117ec4360, incremental=true, budget=(deadline = 9223372036854775807, counter = 9223372036854227982), reason=CC_FORCED) + 1151 at jsgc.cpp:6213 frame #75: 0x00000001090e066f XUL`js::gc::GCRuntime::finishGC(this=0x0000000117ec4360, reason=CC_FORCED) + 143 at jsgc.cpp:6291 frame #76: 0x00000001090e0f72 XUL`JS::FinishIncrementalGC(rt=0x0000000117ec4000, reason=CC_FORCED) + 34 at jsgc.cpp:7081 frame #77: 0x0000000104f72d0e XUL`FinishAnyIncrementalGC() + 46 at nsJSEnvironment.cpp:1315 frame #78: 0x0000000104f72ec1 XUL`FireForgetSkippable(aSuspected=11611, aRemoveChildless=false) + 33 at nsJSEnvironment.cpp:1323 frame #79: 0x0000000104f74445 XUL`CCTimerFired(aTimer=0x000000011e1a9b60, aClosure=0x0000000000000000) + 405 at nsJSEnvironment.cpp:1864 frame #80: 0x0000000103708d82 XUL`nsTimerImpl::Fire(this=0x000000011e1a9b60) + 994 at nsTimerImpl.cpp:631 frame #81: 0x0000000103709191 XUL`nsTimerEvent::Run(this=0x000000011ed416b0) + 209 at nsTimerImpl.cpp:724 frame #82: 0x0000000103703c28 XUL`nsThread::ProcessNextEvent(this=0x0000000100437310, aMayWait=false, aResult=0x00007fff5fbfd063) + 2088 at nsThread.cpp:855 frame #83: 0x000000010375da6a XUL`NS_ProcessPendingEvents(aThread=0x0000000100437310, aTimeout=20) + 154 at nsThreadUtils.cpp:207 frame #84: 0x0000000106b1d379 XUL`nsBaseAppShell::NativeEventCallback(this=0x000000011b57afc0) + 201 at nsBaseAppShell.cpp:98 frame #85: 0x0000000106b96b2d XUL`nsAppShell::ProcessGeckoEvents(aInfo=0x000000011b57afc0) + 445 at nsAppShell.mm:373 frame #86: 0x00007fff98ee9661 CoreFoundation`__CFRUNLOOP_IS_CALLING_OUT_TO_A_SOURCE0_PERFORM_FUNCTION__ + 17 frame #87: 0x00007fff98edb7ed CoreFoundation`__CFRunLoopDoSources0 + 269 frame #88: 0x00007fff98edae1f CoreFoundation`__CFRunLoopRun + 927 frame #89: 0x00007fff98eda838 CoreFoundation`CFRunLoopRunSpecific + 296 frame #90: 0x00007fff9142543f HIToolbox`RunCurrentEventLoopInMode + 235 frame #91: 0x00007fff914251ba HIToolbox`ReceiveNextEventCommon + 431 frame #92: 0x00007fff91424ffb HIToolbox`_BlockUntilNextEventMatchingListInModeWithFilter + 71 frame #93: 0x00007fff8b7086d1 AppKit`_DPSNextEvent + 964 frame #94: 0x00007fff8b707e80 AppKit`-[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] + 194 frame #95: 0x0000000106b95677 XUL`-[GeckoNSApplication nextEventMatchingMask:untilDate:inMode:dequeue:](self=0x0000000117c37430, _cmd=0x00007fff8c05bb88, mask=18446744073709551615, expiration=0x422d63c37f00000d, mode=0x00007fff7d64df60, flag='\x01') + 119 at nsAppShell.mm:118 frame #96: 0x00007fff8b6fbe23 AppKit`-[NSApplication run] + 594 frame #97: 0x0000000106b974e7 XUL`nsAppShell::Run(this=0x000000011b57afc0) + 167 at nsAppShell.mm:647 frame #98: 0x0000000107a8d36c XUL`nsAppStartup::Run(this=0x000000011b3e1d80) + 156 at nsAppStartup.cpp:281 frame #99: 0x0000000107b3cca0 XUL`XREMain::XRE_mainRun(this=0x00007fff5fbfefe8) + 6208 at nsAppRunner.cpp:4145 frame #100: 0x0000000107b3d54e XUL`XREMain::XRE_main(this=0x00007fff5fbfefe8, argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298) + 798 at nsAppRunner.cpp:4221 frame #101: 0x0000000107b3da12 XUL`XRE_main(argc=5, argv=0x00007fff5fbff918, aAppData=0x00007fff5fbff298, aFlags=0) + 98 at nsAppRunner.cpp:4441 frame #102: 0x0000000100002d0e firefox`do_main(argc=5, argv=0x00007fff5fbff918, xreDirectory=0x000000010040dd40) + 1950 at nsBrowserApp.cpp:294 frame #103: 0x0000000100002073 firefox`main(argc=5, argv=0x00007fff5fbff918) + 323 at nsBrowserApp.cpp:667 frame #104: 0x0000000100001ad4 firefox`start + 52 (lldb)
Reporter | ||
Comment 1•9 years ago
|
||
Full backtrace. Note that I've only experienced it once so far.
Assignee | ||
Comment 2•9 years ago
|
||
Well, here's an example of re-entering IncrementalFinalizeRunnable::ReleaseNow()...
Reporter | ||
Comment 3•9 years ago
|
||
Happened another 3 times since I lodged this bug 1 hour ago
Comment 4•9 years ago
|
||
And this shows a possible security issue. We really shouldn't call any JS stuff at that point.
Group: core-security
Updated•9 years ago
|
Component: JavaScript: GC → XUL
Updated•9 years ago
|
Component: XUL → Layout
Comment 5•9 years ago
|
||
I wonder if we'd be able to prevent bug 997918 by preventing calls to js::gc::GCRuntime::startGC (from js::gc::GCRuntime::maybeGC) while js::gc::GCRuntime::finishGC is on the stack?
Assignee | ||
Comment 6•9 years ago
|
||
(In reply to Steven Michaud from comment #5) > I wonder if we'd be able to prevent bug 997918 by preventing calls to > js::gc::GCRuntime::startGC (from js::gc::GCRuntime::maybeGC) while > js::gc::GCRuntime::finishGC is on the stack? I'm not sure how reentrance-proof the GC is, but stopping us from GCing may just make us crash.
Assignee | ||
Comment 7•9 years ago
|
||
I think we could work around this reentrance by ensuring we never call ReleaseNow() when this == mFinalizeRunnable.
Assignee | ||
Comment 8•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #7) > I think we could work around this reentrance by ensuring we never call > ReleaseNow() when this == mFinalizeRunnable. Eh, never mind, then you lose the ability to finish off the runnable on CC. So I guess the current code should be okay enough when we hit this. Aside from whatever other badness is happening in this stack.
Comment 9•9 years ago
|
||
(Following up comment #5) > I wonder if we'd be able to prevent bug 997918 ... The bug number is 997908.
Assignee | ||
Comment 10•9 years ago
|
||
Olli, what sort of security rating should this have do you think?
Flags: needinfo?(bugs)
Comment 11•9 years ago
|
||
It is xul layout stuff calling JS when it is not really safe to do so... sec-moderate?
Flags: needinfo?(bugs)
Assignee | ||
Updated•9 years ago
|
Keywords: sec-moderate
Comment 12•9 years ago
|
||
It's not clear to me what's wrong with line 311 in nsTreeBodyFrame::DestroyFrom. http://hg.mozilla.org/mozilla-central/annotate/5cbae82bdb4b/layout/xul/tree/nsTreeBodyFrame.cpp#l276 Is the problem that nsITreeView/nsITreeSelection is scriptable and therefore we're not allowed to touch it here?
Flags: needinfo?(bugs)
Comment 13•9 years ago
|
||
Yes. We really shouldn't touch scriptable stuff during frame tree destruction, as far as I know. Scripts may after all re-construct the frames and what not. Maybe we need a thin wrapper over some C++ object, and JS side has a pointer to that wrapper, but releasing the wrapper from layout side should be safe. (after such release, if JS side would do anything with the wrapper, it would just throw a js exception)
Flags: needinfo?(bugs)
The rules for privileged script might be different from the rules for Web script; we might have rules that say that certain nsITreeView methods, implemented in JS, are only allowed to do certain things. In this case it looks like there's now a rule that frame destruction isn't allowed to run privileged script at all, which might not be a rule that's existed since the beginning of the codebase.
Comment 15•9 years ago
|
||
Well, the issue is that, like the stack trace shows, that GC may be called, and that may cause random C++ destructors to run, and pretty much anything can happen then. If we could prevent GC to run, then letting privileged script to run would be fine, I think.
In this case we might be able to solve it by using nsIWeakReference, although that might be a substantive change to the tree API.
Comment 17•9 years ago
|
||
(In reply to Olli Pettay [:smaug] from comment #15) > If we could prevent GC to run, then letting privileged script to run would > be fine, I think. I'd prefer that too, rather than messing with regression prone XUL code. So who will write an AutoSuppressGC thing we can use? ;-)
Assignee | ||
Comment 18•9 years ago
|
||
Olli and I discussed this, and we think it is probably okay, so we'll just remove the assertion...
Assignee: nobody → continuation
Keywords: sec-moderate → sec-other
Assignee | ||
Comment 19•9 years ago
|
||
smaug told me over IRC that I could ask for review despite his review ban. ;)
Attachment #8560564 -
Flags: review?(bugs)
Updated•9 years ago
|
Attachment #8560564 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 20•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4f92dc4510bf
https://hg.mozilla.org/mozilla-central/rev/4f92dc4510bf
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox38:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Comment 22•9 years ago
|
||
>> If we could prevent GC to run, then letting privileged script to >> run would be fine, I think. > > I'd prefer that too, rather than messing with regression prone XUL > code. > > So who will write an AutoSuppressGC thing we can use? ;-) So are we going to do anything about this?
Comment 23•9 years ago
|
||
If we can live without suppressing GC, the better. It would be a hack anyway. The issue is that JS can always just run any code, and end up spinning event loop and what not, so GC must be able to run at some point JS runs.
Comment 24•9 years ago
|
||
I'd still like to try the idea I expressed in comment #5, just as an experiment (for at least a week on trunk), to see if it makes bug 997908 go away. Otherwise I think we've lost any chance that the insights gained here will help us with bug 997908.
Updated•9 years ago
|
Whiteboard: [adv-main38-]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•