Closed
Bug 1141788
Opened 9 years ago
Closed 8 years ago
nsSHistory uses questionable lifetimes for pointers with GetNext()
Categories
(Core :: DOM: Navigation, defect)
Core
DOM: Navigation
Tracking
()
RESOLVED
FIXED
mozilla50
Tracking | Status | |
---|---|---|
firefox50 | --- | fixed |
People
(Reporter: mccr8, Assigned: mccr8)
Details
(Keywords: sec-audit, Whiteboard: [post-critsmash-triage][adv-main50-])
Attachments
(1 file)
3.29 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
There's a number of places in nsSHistory that do something like this: nsCOMPtr<nsISHTransaction> trans = mListRoot; while (trans) { ... do some stuff with trans ... nsISHTransaction *temp = trans; temp->GetNext(getter_AddRefs(trans)); } If |trans| had the last reference to the object, then when we assign to |trans| inside of GetNext(), then |this| of |GetNext()| is dead. As it happens, GetNext() does not look like it touches |this| after setting the return value, and it looks like the places these are being use we are never going to have the last reference to the object, so I think it is safe, but it seems like it would be good to be less fragile here. A fixed version of the body would look like: nsCOMPtr<nsISHTransaction> temp = trans.forget(); temp->GetNext(getter_AddRefs(trans)); Then we'd be sure to keep |temp| alive for the duration of the getter. This should not cause any additional refcount traffic. Olli, do you agree that this code is safe as-is? Do you think we should change it? I noticed this while looking at poiru's patch in bug 1129795.
Assignee | ||
Updated•9 years ago
|
Flags: needinfo?(bugs)
Comment 1•9 years ago
|
||
Ancient code, but yeah, looks like it is safe, but we also should fix it to be less error prone.
Flags: needinfo?(bugs)
Assignee | ||
Updated•9 years ago
|
Assignee: nobody → continuation
Updated•9 years ago
|
Group: core-security → dom-core-security
Assignee | ||
Updated•8 years ago
|
Assignee: continuation → nobody
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → continuation
Assignee | ||
Comment 2•8 years ago
|
||
try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=5460a481f642
Attachment #8775805 -
Flags: review?(bugs)
Comment 3•8 years ago
|
||
I feel like I can take this review if you want to hand it off, smaug.
Comment 4•8 years ago
|
||
Comment on attachment 8775805 [details] [diff] [review] Use strong references during iteration in nsSHistory. thanks mconley, but I happened to look at the patch before I noticed your comment.
Attachment #8775805 -
Flags: review?(bugs) → review+
Assignee | ||
Comment 5•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2882620cd75fe1984479f4d6a9b1982ee95a00e4
Comment 6•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/2882620cd75f
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Updated•8 years ago
|
Group: dom-core-security → core-security-release
Updated•8 years ago
|
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main50-]
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•