Closed
Bug 1183954
Opened 9 years ago
Closed 9 years ago
"Hit MOZ_CRASH(nsStructuredCloneContainer not thread-safe)" with Notification from Worker
Categories
(Core :: DOM: Workers, defect)
Core
DOM: Workers
Tracking
()
RESOLVED
FIXED
mozilla42
Tracking | Status | |
---|---|---|
firefox40 | --- | unaffected |
firefox41 | + | fixed |
firefox42 | --- | fixed |
firefox-esr38 | --- | unaffected |
b2g-v2.0 | --- | unaffected |
b2g-v2.0M | --- | unaffected |
b2g-v2.1 | --- | unaffected |
b2g-v2.1S | --- | unaffected |
b2g-v2.2 | --- | unaffected |
b2g-v2.2r | --- | unaffected |
b2g-master | --- | fixed |
People
(Reporter: jruderman, Assigned: nsm)
References
Details
(4 keywords, Whiteboard: [post-critsmash-triage][b2g-adv-main2.5-])
Attachments
(5 files, 1 obsolete file)
123 bytes,
text/html
|
Details | |
4.39 KB,
text/plain
|
Details | |
20.88 KB,
patch
|
mccr8
:
review+
robertbindar
:
review+
|
Details | Diff | Splinter Review |
1.98 KB,
patch
|
khuey
:
review+
|
Details | Diff | Splinter Review |
17.96 KB,
patch
|
ritu
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
In a debug build: Hit MOZ_CRASH(nsStructuredCloneContainer not thread-safe) at dom/base/nsStructuredCloneContainer.cpp:25
Reporter | ||
Comment 1•9 years ago
|
||
Assignee: nobody → nsm.nikhil
Updated•9 years ago
|
Keywords: csectype-race,
sec-high
Assignee | ||
Comment 2•9 years ago
|
||
Andrew, could you check the CC and Hold/DropJSObjects/ExposeActive for mData? This code runs on main thread and workers. Robert for making sure I haven't broken any semantics.
Attachment #8641295 -
Flags: review?(continuation)
Assignee | ||
Updated•9 years ago
|
Attachment #8641295 -
Flags: review?(robertbindar)
Comment 3•9 years ago
|
||
Comment on attachment 8641295 [details] [diff] [review] Fix Notification.data structured cloning on workers. Review of attachment 8641295 [details] [diff] [review]: ----------------------------------------------------------------- The CC stuff looks good to me.
Attachment #8641295 -
Flags: review?(continuation) → review+
Assignee | ||
Updated•9 years ago
|
status-firefox41:
--- → affected
Comment 4•9 years ago
|
||
Comment on attachment 8641295 [details] [diff] [review] Fix Notification.data structured cloning on workers. Review of attachment 8641295 [details] [diff] [review]: ----------------------------------------------------------------- Thanks Nikhil! lgtm, if the tests are green we're good to go.
Attachment #8641295 -
Flags: review?(robertbindar) → review+
Assignee | ||
Comment 5•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=f82e83784203
Assignee | ||
Comment 6•9 years ago
|
||
url: https://hg.mozilla.org/integration/mozilla-inbound/rev/02652b4367625e2771366b18bf2e95753c240e26 changeset: 02652b4367625e2771366b18bf2e95753c240e26 user: Nikhil Marathe <nsm.nikhil@gmail.com> date: Thu Jul 30 12:44:14 2015 -0700 description: Bug 1183954 - Fix Notification.data structured cloning on workers. r=robertbindar,mccr8 Rather than store a non-thread-safe refcounted nsIStructuredCloneContainer, store the base64 representation. Caches a jsval the first time an attempt to access data is made from content script.
Assignee | ||
Comment 7•9 years ago
|
||
Comment on attachment 8641295 [details] [diff] [review] Fix Notification.data structured cloning on workers. Approval Request Comment [Feature/regressing bug #]: Bug 916893 [User impact if declined]: Crash when creating a Notification on worker with the data field set. [Describe test coverage new/current, TreeHerder]: Added structured clone tests in dom/workers/ [Risks and why]: No risk to taking this patch. [String/UUID change made/needed]: None.
Attachment #8641295 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 8•9 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=263a7ed9dc0e
Assignee | ||
Comment 9•9 years ago
|
||
Assignee | ||
Updated•9 years ago
|
Attachment #8641295 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 10•9 years ago
|
||
Comment on attachment 8642090 [details] [diff] [review] Patch for aurora. Approval Request Comment [Feature/regressing bug #]: Bug 916893 [User impact if declined]: Crash when creating a Notification on worker with the data field set. [Describe test coverage new/current, TreeHerder]: Added structured clone tests in dom/workers/ [Risks and why]: No risk to taking this patch. [String/UUID change made/needed]: None.
Attachment #8642090 -
Flags: approval-mozilla-aurora?
Comment 11•9 years ago
|
||
And because of 'auto' hiding raw pointer usage we nicely leak here. https://treeherder.mozilla.org/logviewer.html#?job_id=12395451&repo=mozilla-inbound
(In reply to Olli Pettay [:smaug] from comment #11) > And because of 'auto' hiding raw pointer usage we nicely leak here. > https://treeherder.mozilla.org/logviewer.html#?job_id=12395451&repo=mozilla- > inbound Yeah, that's bad. Wonder if we can use static analysis to catch these kinds of mistakes.
Comment 13•9 years ago
|
||
FYI, I'm about to land a fix for the leak.
Comment on attachment 8642151 [details] [diff] [review] don't leak Review of attachment 8642151 [details] [diff] [review]: ----------------------------------------------------------------- Not that it matters, but r=me.
Attachment #8642151 -
Flags: review+
Assignee | ||
Comment 16•9 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #12) > (In reply to Olli Pettay [:smaug] from comment #11) > > And because of 'auto' hiding raw pointer usage we nicely leak here. > > https://treeherder.mozilla.org/logviewer.html#?job_id=12395451&repo=mozilla- > > inbound > > Yeah, that's bad. Wonder if we can use static analysis to catch these kinds > of mistakes. Perhaps provide a MakeRefPtr<> like MakeUnique<> and then have an analyzer enforce that for pointer types?
Comment 17•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/02652b436762 https://hg.mozilla.org/mozilla-central/rev/7921dfab7eb3
Status: NEW → RESOLVED
Closed: 9 years ago
status-b2g-master:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
Assignee | ||
Comment 18•9 years ago
|
||
Updated to include leak fixes. Please see previous approval request.
Attachment #8642090 -
Attachment is obsolete: true
Attachment #8642090 -
Flags: approval-mozilla-aurora?
Attachment #8642484 -
Flags: approval-mozilla-aurora?
Comment 19•9 years ago
|
||
Comment on attachment 8642484 [details] [diff] [review] Patch for beta. I think you meant beta as aurora is 42 (and fixed).
Attachment #8642484 -
Flags: approval-mozilla-aurora? → approval-mozilla-beta?
Assignee | ||
Comment 20•9 years ago
|
||
(In reply to Sylvestre Ledru [:sylvestre] from comment #19) > Comment on attachment 8642484 [details] [diff] [review] > Patch for aurora. > > I think you meant beta as aurora is 42 (and fixed). Well, I asked for approval before the branch. The previous comment still applies for beta approval.
Assignee | ||
Comment 21•9 years ago
|
||
Comment on attachment 8642484 [details] [diff] [review] Patch for beta. This really needs to be uplifted. This patch should apply to beta too
Attachment #8642484 -
Attachment description: Patch for aurora. → Patch for beta.
Comment on attachment 8642484 [details] [diff] [review] Patch for beta. This patch has been in Nightly for over 2 weeks. Seems safe to uplift to Beta41.
Attachment #8642484 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Tracked since this is a security bug.
tracking-firefox41:
--- → +
When I reviewed the patch I noticed that it does have a UUID change. Jorge, in the past Sylvestre asked me to check with you on the UUID changes. Do you see a concern here?
Flags: needinfo?(jorge)
Comment 26•9 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/d0f16a9c00a0
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-firefox40:
--- → unaffected
status-firefox-esr38:
--- → unaffected
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
Updated•9 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][b2g-adv-main2.5-]
You need to log in
before you can comment on or make changes to this bug.
Description
•