Closed
Bug 1261718
Opened 8 years ago
Closed 8 years ago
in nsSubDocumentFrame when getting the document from a view go through the view manager
Categories
(Core :: Web Painting, defect)
Core
Web Painting
Tracking
()
RESOLVED
FIXED
mozilla48
Tracking | Status | |
---|---|---|
firefox48 | --- | fixed |
People
(Reporter: tnikkel, Assigned: tnikkel)
Details
(Keywords: sec-audit, Whiteboard: [post-critsmash-triage][adv-main48-])
Attachments
(1 file)
1.33 KB,
patch
|
MatsPalmgren_bugz
:
review+
|
Details | Diff | Splinter Review |
The view is not guaranteed to have a frame (and won't during the early parts of the presshell's existence). It will have a view manager, and that will have a presshell during this time period. Anytime a view has a frame it will also have a view manager and a pressshell so this is strictly better.
Assignee | ||
Comment 1•8 years ago
|
||
Attachment #8737647 -
Flags: review?(mats)
Comment 2•8 years ago
|
||
Comment on attachment 8737647 [details] [diff] [review] patch I'd be surprised if the view doesn't have a frame here, for the current call sites. But sure, this is strictly better and a tiny bit faster too. I think you can remove the 'vm' null-check, a view always points back to its viewmanager for its entire lifetime, IIRC. (even when it's detached)
Attachment #8737647 -
Flags: review?(mats) → review+
Assignee | ||
Comment 3•8 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #2) > I'd be surprised if the view doesn't have a frame here, for the current > call sites. But sure, this is strictly better and a tiny bit faster too. We can reconstruct an iframe at any time while it is navigating to a new document, so I think it is quite possible for a view to not have a frame here.
Comment 4•8 years ago
|
||
Yes, but the views here are all owned by their respective frames, AFAIK. So if the frame is destroyed so should its view which /should/ unhook it from its siblings so you won't see that view in EndSwapDocShellsForViews. I don't see anything that clears nsFrameLoader::mDetachedSubdocViews though, in case the very first view in the chain got destroyed. Hmm, we might want to fix that just in case it's possible for navigation to occur while being detached (i.e. between Begin[End]SwapDocShellsForViews). I see that we call SetContainer(nullptr) recursively in DetachContainerRecurse, but I don't know what that means for being able to navigate. Perhaps we should add an assertion about it in ViewportFrame::DestroyFrom ? (i.e. that its view != nsFrameLoader::mDetachedSubdocViews) Then again, if it is, then it might be impossible to get at the associated SubDocumentFrame's loader precisely because it is detached...
Assignee | ||
Comment 5•8 years ago
|
||
Hiding this bug so we can discuss this here instead of trying to move the discussion elsewhere. This bug and patch shouldn't be security issues I don't think. (In reply to Mats Palmgren (:mats) from comment #4) > Yes, but the views here are all owned by their respective frames, AFAIK. > So if the frame is destroyed so should its view which /should/ unhook it > from its siblings so you won't see that view in EndSwapDocShellsForViews. The case I am thinking of is the root view, before the root frame has been constructed. There is a significant amount of time between those two events, I have verified this with a testcase. We create the root view in nsDocumentViewer::MakeWindow http://mxr.mozilla.org/mozilla-central/source/layout/base/nsDocumentViewer.cpp#2388 before any frames have been constructed. And then later, in nsCSSFrameConstructor::ConstructRootFrame http://mxr.mozilla.org/mozilla-central/source/layout/base/nsCSSFrameConstructor.cpp#2643 we set the root view as the view of the root frame we just constructed. I have verified with a testcase reconstructs an iframe every 150ms and then starts the iframe navigating to a new document that we do indeed have a root view without a frame for a significant amount of time. > I don't see anything that clears nsFrameLoader::mDetachedSubdocViews though, > in case the very first view in the chain got destroyed. Hmm, we might > want to fix that just in case it's possible for navigation to occur > while being detached (i.e. between Begin[End]SwapDocShellsForViews). Yes, I agree, see bug 1261175, comment 5. Planning to fix that too (perhaps by holding refpts to the corresponding view managers or documents or presshells instead of raw nsView pointers). > I see that we call SetContainer(nullptr) recursively in > DetachContainerRecurse, > but I don't know what that means for being able to navigate. > > Perhaps we should add an assertion about it in ViewportFrame::DestroyFrom ? > (i.e. that its view != nsFrameLoader::mDetachedSubdocViews) > Then again, if it is, then it might be impossible to get at the associated > SubDocumentFrame's loader precisely because it is detached... Good idea. We might be able to access it via GetFrameElement or via the docshell or via the subdocument map that nsIDocument manages. Hopefully we can just fix the potential problem though like I mentioned above.
Group: core-security
Comment 6•8 years ago
|
||
Is there a specific security concern here, or is this more of a sec-audit cleanup? If the view didn't have a frame would it return something other than null? Because the null case was already handled.
Group: core-security → layout-core-security
Comment 7•8 years ago
|
||
(In reply to Timothy Nikkel (:tnikkel) from comment #5) > We create the root view in nsDocumentViewer::MakeWindow [...] Thanks for elaborating. But if we have a root view with no root frame yet, I don't see how we can have frames/views (or even shells) for any sub-documents (so returning null from GetDocumentFromView seems OK in that case, because there is nothing to do for BeginSwapDocShellsForViews) Perhaps you're worried about lingering pres stuff from a previous navigation? but that stuff would be under a different root view, no?
Keywords: sec-audit
Assignee | ||
Comment 8•8 years ago
|
||
(In reply to Daniel Veditz [:dveditz] from comment #6) > Is there a specific security concern here, or is this more of a sec-audit > cleanup? If the view didn't have a frame would it return something other > than null? Because the null case was already handled. I hid the bug only so that I could fully reply to Mats' comment (where I discuss actual security bugs). The pointers involved here should either be null or valid. The patch and problem here shouldn't be a security issue that I can tell.
Assignee | ||
Comment 9•8 years ago
|
||
(In reply to Mats Palmgren (:mats) from comment #7) > Thanks for elaborating. But if we have a root view with no root > frame yet, I don't see how we can have frames/views (or even shells) > for any sub-documents (so returning null from GetDocumentFromView > seems OK in that case, because there is nothing to do for > BeginSwapDocShellsForViews) Yeah, doesn't seem like anything can go wrong. > Perhaps you're worried about lingering pres stuff from a previous > navigation? but that stuff would be under a different root view, no? No, I don't think anything can go wrong. Just seemed silly to not get the doc if we do have access to it.
Comment 10•8 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/de39f972fdbe
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox48:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Updated•8 years ago
|
Group: layout-core-security → core-security-release
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage]
Updated•8 years ago
|
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main48-]
Updated•7 years ago
|
Group: core-security-release
Updated•6 years ago
|
Component: Layout: View Rendering → Layout: Web Painting
You need to log in
before you can comment on or make changes to this bug.
Description
•