Closed
Bug 1141788
Opened 9 years ago
Closed 8 years ago
nsSHistory uses questionable lifetimes for pointers with GetNext()
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: mccr8, Assigned: mccr8)
Details
(Keywords: sec-audit, Whiteboard: [post-critsmash-triage][adv-main50-])
Attachments
(1 file)
|
3.29 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
There's a number of places in nsSHistory that do something like this:
nsCOMPtr<nsISHTransaction> trans = mListRoot;
while (trans) {
... do some stuff with trans ...
nsISHTransaction *temp = trans;
temp->GetNext(getter_AddRefs(trans));
}
If |trans| had the last reference to the object, then when we assign to |trans| inside of GetNext(), then |this| of |GetNext()| is dead.
As it happens, GetNext() does not look like it touches |this| after setting the return value, and it looks like the places these are being use we are never going to have the last reference to the object, so I think it is safe, but it seems like it would be good to be less fragile here.
A fixed version of the body would look like:
nsCOMPtr<nsISHTransaction> temp = trans.forget();
temp->GetNext(getter_AddRefs(trans));
Then we'd be sure to keep |temp| alive for the duration of the getter. This should not cause any additional refcount traffic.
Olli, do you agree that this code is safe as-is? Do you think we should change it?
I noticed this while looking at poiru's patch in bug 1129795.
|
Assignee | |
Updated•9 years ago
|
Flags: needinfo?(bugs)
|
||
Comment 1•9 years ago
|
||
Ancient code, but yeah, looks like it is safe, but we also should fix it to be less error prone.
Flags: needinfo?(bugs)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → continuation
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
Assignee | |
Updated•8 years ago
|
Assignee: continuation → nobody
|
|
Assignee | |
Updated•8 years ago
|
Assignee: nobody → continuation
|
|
Assignee | |
Comment 2•8 years ago
|
||
try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=5460a481f642
Attachment #8775805 -
Flags: review?(bugs)
|
||
Comment 3•8 years ago
|
||
I feel like I can take this review if you want to hand it off, smaug.
|
|
||
Comment 4•8 years ago
|
||
Comment on attachment 8775805 [details] [diff] [review] Use strong references during iteration in nsSHistory. thanks mconley, but I happened to look at the patch before I noticed your comment.
Attachment #8775805 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2882620cd75fe1984479f4d6a9b1982ee95a00e4
|
||
Comment 6•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2882620cd75f
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
||
Updated•8 years ago
|
Group: dom-core-security → core-security-release
|
||
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
|
||
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50-]
|
|
||
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•