Closed
Bug 1171578
Opened 9 years ago
Closed 9 years ago
Null Pointer Read in indexedDB::IDBFactory::OpenInternal()
Categories
(Core :: Storage: IndexedDB, defect)
Tracking
()
RESOLVED
FIXED
mozilla41
People
(Reporter: loobenyang, Assigned: bent.mozilla)
Details
(Keywords: crash)
Attachments
(2 files)
419 bytes,
text/html
|
Details | |
3.72 KB,
patch
|
baku
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
Open IndexDB in web worker can crash the browser by null pointer read in indexedDB::IDBFactory::OpenInternal().
Firefox version: 41.0a1 (2015-05-30)
Reproduction test case (NullPtr_OpenInternal_repro.html):
<html><body></body><script type="text/javascript">
var workerCode = 'var dbreq0= indexedDB.open("TestDb2", 1);\n';
workerCode+=' dbreq0.onerror = function(event) {indexedDB.open("TestDb2", 1);};\n';
indexedDB.deleteDatabase("TestDb2");
var blob = new Blob([workerCode],{type: "text/javascript"});
var worker = new Worker(window.URL.createObjectURL(blob));
setTimeout(function(){location.reload()},300);
</script></html>
Call stack:
> xul.dll!mozilla::dom::indexedDB::IDBFactory::OpenInternal(nsIPrincipal * aPrincipal, const nsAString_internal & aName, const mozilla::dom::Optional<unsigned __int64> & aVersion, const mozilla::dom::Optional<enum mozilla::dom::StorageType> & aStorageType, bool aDeleting, mozilla::ErrorResult & aRv) Line 748 C++
xul.dll!mozilla::dom::indexedDB::IDBFactory::Open(const nsAString_internal & aName, unsigned __int64 aVersion, mozilla::ErrorResult & aRv) Line 477 C++
xul.dll!mozilla::dom::IDBFactoryBinding::open(JSContext * cx, JS::Handle<JSObject *> obj, mozilla::dom::indexedDB::IDBFactory * self, const JSJitMethodCallArgs & args) Line 280 C++
xul.dll!mozilla::dom::GenericBindingMethod(JSContext * cx, unsigned int argc, JS::Value * vp) Line 2615 C++
xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 720 C++
xul.dll!Interpret(JSContext * cx, js::RunState & state) Line 2956 C++
xul.dll!js::RunScript(JSContext * cx, js::RunState & state) Line 677 C++
xul.dll!js::Invoke(JSContext * cx, JS::CallArgs args, js::MaybeConstruct construct) Line 750 C++
xul.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, const JS::Value * argv, JS::MutableHandle<JS::Value> rval) Line 784 C++
xul.dll!JS::Call(JSContext * cx, JS::Handle<JS::Value> thisv, JS::Handle<JS::Value> fval, const JS::HandleValueArray & args, JS::MutableHandle<JS::Value> rval) Line 4421 C++
xul.dll!mozilla::dom::EventHandlerNonNull::Call(JSContext * cx, JS::Handle<JS::Value> aThisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv) Line 260 C++
xul.dll!mozilla::dom::EventHandlerNonNull::Call<nsISupports *>(nsISupports * const & thisVal, mozilla::dom::Event & event, JS::MutableHandle<JS::Value> aRetVal, mozilla::ErrorResult & aRv, const char * aExecutionReason, mozilla::dom::CallbackObject::ExceptionHandling aExceptionHandling, JSCompartment * aCompartment) Line 351 C++
xul.dll!mozilla::JSEventHandler::HandleEvent(nsIDOMEvent * aEvent) Line 216 C++
xul.dll!mozilla::EventListenerManager::HandleEventSubType(mozilla::EventListenerManager::Listener * aListener, nsIDOMEvent * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget) Line 979 C++
xul.dll!mozilla::EventListenerManager::HandleEventInternal(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 1129 C++
xul.dll!mozilla::EventListenerManager::HandleEvent(nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * * aDOMEvent, mozilla::dom::EventTarget * aCurrentTarget, nsEventStatus * aEventStatus) Line 330 C++
xul.dll!mozilla::EventTargetChainItem::HandleEvent(mozilla::EventChainPostVisitor & aVisitor, mozilla::ELMCreationDetector & aCd) Line 209 C++
xul.dll!mozilla::EventTargetChainItem::HandleEventTargetChain(nsTArray<mozilla::EventTargetChainItem> & aChain, mozilla::EventChainPostVisitor & aVisitor, mozilla::EventDispatchingCallback * aCallback, mozilla::ELMCreationDetector & aCd) Line 301 C++
xul.dll!mozilla::EventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, mozilla::EventDispatchingCallback * aCallback, nsTArray<mozilla::dom::EventTarget *> * aTargets) Line 636 C++
xul.dll!mozilla::EventDispatcher::DispatchDOMEvent(nsISupports * aTarget, mozilla::WidgetEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus) Line 698 C++
xul.dll!nsWindowRoot::DispatchEvent(nsIDOMEvent * aEvt, bool * aRetVal) Line 84 C++
xul.dll!mozilla::dom::indexedDB::`anonymous namespace'::DispatchErrorEvent(mozilla::dom::indexedDB::IDBRequest * aRequest, nsresult aErrorCode, mozilla::dom::indexedDB::IDBTransaction * aTransaction, nsIDOMEvent * aEvent) Line 704 C++
xul.dll!mozilla::dom::indexedDB::BackgroundFactoryRequestChild::HandleResponse(nsresult aResponse) Line 1248 C++
xul.dll!mozilla::dom::indexedDB::BackgroundFactoryRequestChild::Recv__delete__(const mozilla::dom::indexedDB::FactoryRequestResponse & aResponse) Line 1346 C++
xul.dll!mozilla::dom::indexedDB::PBackgroundIDBFactoryRequestChild::OnMessageReceived(const IPC::Message & msg__) Line 183 C++
xul.dll!mozilla::ipc::PBackgroundChild::OnMessageReceived(const IPC::Message & msg__) Line 1167 C++
xul.dll!mozilla::ipc::MessageChannel::DispatchAsyncMessage(const IPC::Message & aMsg) Line 1281 C++
xul.dll!mozilla::ipc::MessageChannel::DispatchMessageW(const IPC::Message & aMsg) Line 1199 C++
xul.dll!mozilla::ipc::MessageChannel::OnMaybeDequeueOne() Line 1183 C++
xul.dll!MessageLoop::RunTask(Task * task) Line 362 C++
xul.dll!MessageLoop::DeferOrRunPendingTask(const MessageLoop::PendingTask & pending_task) Line 372 C++
xul.dll!MessageLoop::DoWork() Line 456 C++
xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 846 C++
xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 265 C++
xul.dll!mozilla::dom::workers::WorkerPrivate::DoRunLoop(JSContext * aCx) Line 5204 C++
xul.dll!`anonymous namespace'::WorkerThreadPrimaryRunnable::Run() Line 2805 C++
xul.dll!nsThread::ProcessNextEvent(bool aMayWait, bool * aResult) Line 846 C++
xul.dll!NS_ProcessNextEvent(nsIThread * aThread, bool aMayWait) Line 265 C++
xul.dll!mozilla::ipc::MessagePumpForNonMainThreads::Run(base::MessagePump::Delegate * aDelegate) Line 355 C++
xul.dll!MessageLoop::RunHandler() Line 227 C++
xul.dll!MessageLoop::Run() Line 201 C++
xul.dll!nsThread::ThreadFunc(void * aArg) Line 361 C++
nss3.dll!_PR_NativeRunThread(void * arg) Line 419 C
nss3.dll!pr_root(void * arg) Line 90 C
[External Code]
[Frames below may be incorrect and/or missing, no symbols loaded for msvcr120.dll]
Local variables:
+ this 0x00000032 {mPrincipalInfo={mRawPtr=??? } mWindow={...} mOwningObject={ptr=??? } ...} mozilla::dom::indexedDB::IDBFactory *
+ aPrincipal 0x00000000 <NULL> nsIPrincipal *
+ aName {mData=0x1c1fd904 L"TestDb2" mLength=7 mFlags=1 } const nsAString_internal &
+ aVersion {...} const mozilla::dom::Optional<unsigned __int64> &
+ aStorageType {...} const mozilla::dom::Optional<enum mozilla::dom::StorageType> &
aDeleting false bool
+ aRv {mResult=NS_OK (0) mMessage=0x1c1fde0c {mArgs={...} mErrorNumber=466281996 } mJSException={data={asBits=...} } } mozilla::ErrorResult &
+ autoJS {mCxPusher={mIsSome=false mStorage={u={mBytes=0x1c1fd608 "" mDummy=0 } } } mAutoNullableCompartment=...} mozilla::dom::AutoJSAPI
+ params {mValue={VOpenDatabaseRequestParams=0x1c1fd504 "hË\x1b\a" VDeleteDatabaseRequestParams=0x1c1fd504 "hË\x1b\a" } ...} mozilla::dom::indexedDB::FactoryRequestParams
+ commonParams {metadata_={name_={...} version_=1 persistenceType_=PERSISTENCE_TYPE_DEFAULT (2) } principalInfo_={mValue=...} ...} mozilla::dom::indexedDB::CommonFactoryRequestParams
+ newIDBThreadLocal {mRawPtr=0x00000000 <NULL> } nsAutoPtr<mozilla::dom::indexedDB::ThreadLocal>
+ uuidGen {...} nsCOMPtr<nsIUUIDGenerator>
+ id {m0=0 m1=0 m2=0 ...} nsID
+ scriptOwner {stack=0x00000000 {???} prev=0x00000000 <NULL> ptr=0x00000000 <NULL> } JS::Rooted<JSObject *>
+ cx {mCx=0x0000001f {throwing=??? unwrappedException_={data={asBits=??? s={...} asDouble=??? ...} } options_=...} ...} mozilla::AutoJSContext
+ scriptOwner {stack=0x1bcae60c {0x1c1fd9c0 {stack=0x1bcae60c {0x1c1fd9c0 {...}} prev=0x1c1fde10 {stack=0x1bcae60c {...} ...} ...}} ...} JS::Rooted<JSObject *>
_useProfiler false const bool
_useProfiler false const bool
Registers:
EAX = 1C1FD401 EBX = 1C1FD55C ECX = 00000032 EDX = 1C1FD563 ESI = 00000000 EDI = 1C1FD8AC EIP = 5427281E ESP = 1C1FD468 EBP = 1C03D740 EFL = 00010202
0x00000058 = 00000000
Assignee | ||
Comment 1•9 years ago
|
||
Thanks for the report! baku, this tightens up a few things if the WorkerFeature doesn't get added properly. Maybe it will help some of the other problems you've seen with WorkerFeature...
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #8625238 -
Flags: review?(amarchesini)
Updated•9 years ago
|
Attachment #8625238 -
Flags: review?(amarchesini) → review+
Assignee | ||
Comment 2•9 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/a6f67ef45731
Assignee | ||
Comment 3•9 years ago
|
||
Comment on attachment 8625238 [details] [diff] [review] Patch, v1 Approval Request Comment [Feature/regressing bug #]: bug 701634 [User impact if declined]: Crash in an unlikely race condition [Describe test coverage new/current, TreeHerder]: Testing this race is really hard [Risks and why]: Basically this amounts to a null check, so it's very safe. [String/UUID change made/needed]: None
Attachment #8625238 -
Flags: approval-mozilla-aurora?
Comment 4•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/a6f67ef45731
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Assignee | ||
Comment 5•9 years ago
|
||
Thanks for the report Looben!
Updated•9 years ago
|
status-firefox40:
--- → affected
Comment 6•9 years ago
|
||
Comment on attachment 8625238 [details] [diff] [review] Patch, v1 Fix a crash: taking it.
Attachment #8625238 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in
before you can comment on or make changes to this bug.
Description
•