Closed
Bug 1234192
Opened 8 years ago
Closed 8 years ago
OSFileSystem looks scary since it is threadsafe object but keeps a strong pointer to main-thread only mWindow
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox44 | --- | unaffected |
| firefox45 | --- | unaffected |
| firefox46 | --- | fixed |
| firefox-esr38 | --- | unaffected |
People
(Reporter: smaug, Assigned: baku)
Details
(Keywords: csectype-race, sec-high)
Attachments
(3 files)
|
2.47 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
|
3.58 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
|
5.64 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
http://mxr.mozilla.org/mozilla-central/source/dom/filesystem/OSFileSystem.h looks scary. Class which has strong pointer to cycle collectable (and not ever traversed or unlinked - so leaking ?) object inhering threadsafe refcounting from the base class. Does anything guarantee the object is always destroyed in the main thread? Or perhaps OSFileSystem is always used just in the main thread even though there is threadsafe refcounting? But don't we anyhow end up leaking?
|
||
Updated•8 years ago
|
Flags: needinfo?(amarchesini)
|
Assignee | |
Comment 1•8 years ago
|
||
I didn't use nsProxyRelease because it doesn't work properly with NS_INLINE_DECL_REFCOUNTING classes.
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
Attachment #8702562 -
Flags: review?(bugs)
|
Reporter | |
Comment 2•8 years ago
|
||
But why does the patch fix the possible leak? We still keep strong ref to a Window and not traverse/unlink it.
|
|
Reporter | |
Comment 3•8 years ago
|
||
Comment on attachment 8702562 [details] [diff] [review] fsb.patch This should be fine for the security issue, but I think we should fix the leak issue in this bug too.
Attachment #8702562 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 4•8 years ago
|
||
Attachment #8702676 -
Flags: review?(bugs)
|
|
Reporter | |
Updated•8 years ago
|
Attachment #8702676 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 5•8 years ago
|
||
I landed these 2 patches because the OSFileSystem obj is used only in nightly and protected behind pref.
|
||
Comment 6•8 years ago
|
||
Backed out in https://treeherder.mozilla.org/logviewer.html#?job_id=19094197&repo=mozilla-inbound for the b2g debug assertion failure in test_fs_createFile.html, https://treeherder.mozilla.org/logviewer.html#?job_id=19094197&repo=mozilla-inbound
|
|
||
Comment 7•8 years ago
|
||
Not just debug, a consistent crash in b2g opt, and not just b2g, an intermittent crash or assertion on desktop.
|
|
||
Updated•8 years ago
|
status-firefox45:
--- → unaffected
status-firefox46:
--- → disabled
https://hg.mozilla.org/mozilla-central/rev/952139e6c454 https://hg.mozilla.org/mozilla-central/rev/cb7ddeee6364
|
|
||
Comment 9•8 years ago
|
||
Even though this is disabled in Nightly, I'm going to mark it sec-high for completeness.
Keywords: csectype-race,
sec-high
|
||
Updated•8 years ago
|
Group: dom-core-security → core-security-release
|
|
Reporter | |
Comment 10•8 years ago
|
||
This is my bad. Sorry! We fixed the security issue, but the traversing/unlinking is now wrong. mFileSystem is owned by several different Directories, so we can just go from Directory->fs->mWindow. (This is all still not enabled-by-default-expect-in-Nightly code)
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
|
|
Reporter | |
Comment 11•8 years ago
|
||
I hadn't realized the same FileSystem object is being reused, but DataTransfer certainly does that.
|
|
||
Updated•8 years ago
|
|
|
Assignee | |
Comment 12•8 years ago
|
||
> (This is all still not enabled-by-default-expect-in-Nightly code)
I'm removing this 'reuse' thing in another patch that you are reviewing.
But if you prefer I submit a patch for that here.|
|
Assignee | |
Comment 13•8 years ago
|
||
Attachment #8707395 -
Flags: review?(bugs)
|
|
Reporter | |
Comment 14•8 years ago
|
||
Comment on attachment 8707395 [details] [diff] [review] reuse.patch Thanks. This is still a bit fragile. We should somehow be able to guarantee fs isn't reused. Would it be possible have an Init method on Directory where you pass window and dirname and it creates OSFileSystem which the Directory uses. (I'm trying to recall why FileSystem needs a pointer to the global)
Attachment #8707395 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 15•8 years ago
|
||
> Would it be possible have an Init method on Directory where you pass window
> and dirname and it creates OSFileSystem which the Directory uses.
> (I'm trying to recall why FileSystem needs a pointer to the global)
The global is used to create objects by the tasks. Currently we have a window, but as you know, in other patches I'm moving it to a nsISupports.|
|
Assignee | |
Comment 16•8 years ago
|
||
I'll make your proposal in one of the other patches you are reviewing.
|
||
Comment 17•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/061115751346
Status: REOPENED → RESOLVED
Closed: 8 years ago → 8 years ago
status-firefox44:
--- → unaffected
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
|
|
||
Updated•8 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•