Closed
Bug 1240365
Opened 9 years ago
Closed 9 years ago
Crash [@ xpc::PrivilegedJunkScope ] when instantiating FileReader in a worker with chrome privileges
Categories
(Core :: DOM: Workers, defect)
Core
DOM: Workers
Tracking
()
RESOLVED
FIXED
mozilla46
| Tracking | Status | |
|---|---|---|
| firefox46 | --- | fixed |
People
(Reporter: mstange, Assigned: baku)
References
Details
Attachments
(1 file)
|
6.13 KB,
patch
|
khuey
:
review+
smaug
:
review+
|
Details | Diff | Splinter Review |
I'm working on an addon that launches a Worker, and in that worker I want to use FileReader. Here's the crash I'm getting: https://crash-stats.mozilla.com/report/index/9f73ed48-3e95-4893-bc91-7c7562160117
Group: core-security
Flags: needinfo?(amarchesini)
|
||
Updated•9 years ago
|
Keywords: csectype-race
|
|
||
Comment 1•9 years ago
|
||
It looks like this is just always going to crash safely when chrome privileged code attempts to create a FileReader off the main thread, so I'm going to mark this sec-other for now. Adjust as appropriate.
Keywords: sec-other
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → amarchesini
Flags: needinfo?(amarchesini)
|
|
Assignee | |
Comment 2•9 years ago
|
||
Attachment #8709999 -
Flags: review?(khuey)
Comment on attachment 8709999 [details] [diff] [review] crash2.patch Review of attachment 8709999 [details] [diff] [review]: ----------------------------------------------------------------- Looks fine to me, although I'd love someone who understands our security stuff better to glance at it.
Attachment #8709999 -
Flags: review?(khuey) → review+
|
|
Assignee | |
Updated•9 years ago
|
Attachment #8709999 -
Flags: review?(bugs)
|
||
Comment 4•9 years ago
|
||
Comment on attachment 8709999 [details] [diff] [review] crash2.patch >- MOZ_ASSERT_IF(!NS_IsMainThread(), mWorkerPrivate && !aWindow); >- MOZ_ASSERT_IF(NS_IsMainThread(), !mWorkerPrivate); >+ MOZ_ASSERT(aGlobal); >+ MOZ_ASSERT(!!NS_IsMainThread() == !!mWorkerPrivate); This assertion is clearly wrong. As you said on IRC, MOZ_ASSERT(NS_IsMainThread() == !mWorkerPrivate); >- if (!owner && nsContentUtils::ThreadsafeIsCallerChrome()) { >- // Instead of grabbing some random global from the context stack, >- // let's use the default one (junk scope) for now. >- // We should move away from this Init... >- fileReader->BindToOwner(xpc::NativeGlobal(xpc::PrivilegedJunkScope())); I added xpc::PrivilegedJunkScope() use long ago when it was in Init and we didn't have this proper webidl Constructor or so. And all this was still main thread only. So yes, this change makes sense to me.
Attachment #8709999 -
Flags: review?(bugs) → review+
|
||
Updated•9 years ago
|
Group: core-security → dom-core-security
|
|
||
Comment 5•9 years ago
|
||
I'll just unhide this. I don't think there's any security issue here.
Group: dom-core-security
|
|
||
Updated•9 years ago
|
Keywords: csectype-race,
sec-other
|
||
Comment 7•9 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/b67a5343e79f
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla46
You need to log in
before you can comment on or make changes to this bug.
Description
•