Closed
Bug 1289330
Opened 8 years ago
Closed 8 years ago
Intermittent dom/crypto/test/test_WebCrypto.html | application crashed [@ mozilla::dom::GetDOMClass]
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla50
| Tracking | Status | |
|---|---|---|
| firefox50 | --- | fixed |
People
(Reporter: intermittent-bug-filer, Assigned: ttaubert)
Details
(Keywords: intermittent-failure)
Attachments
(1 file)
|
3.43 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Filed by: tomcat [at] mozilla.com https://treeherder.mozilla.org/logviewer.html#?job_id=32592224&repo=mozilla-inbound https://queue.taskcluster.net/v1/task/NHEYsZfJQq6wvCPLHjWCsA/runs/0/artifacts/public%2Flogs%2Flive_backing.log
|
||
Comment 1•8 years ago
|
||
This is crashing because the mPublicExponent of a RsaHashedKeyAlgorithm ended up with a null object in it. At first glance this could happen if the allocations and stuff that RsaHashedKeyAlgorithmStorage::ToKeyAlgorithm fail. Sadly, it ignores those failures...
Flags: needinfo?(ttaubert)
|
Assignee | |
Comment 2•8 years ago
|
||
(In reply to Boris Zbarsky [:bz] from comment #1) > This is crashing because the mPublicExponent of a RsaHashedKeyAlgorithm > ended up with a null object in it. > > At first glance this could happen if the allocations and stuff that > RsaHashedKeyAlgorithmStorage::ToKeyAlgorithm fail. Sadly, it ignores those > failures... Yeah, that's definitely an oversight. This should fix it.
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
Flags: needinfo?(ttaubert)
Attachment #8775287 -
Flags: review?(bzbarsky)
|
|
||
Comment 3•8 years ago
|
||
Comment on attachment 8775287 [details] [diff] [review] 0001-Bug-1289330-Check-for-success-when-calling-ToKeyAlgo.patch >+ JSObject* prime = mPrime.ToUint8Array(aCx); >+ JSObject* generator = mGenerator.ToUint8Array(aCx); This is going to fail static analysis: "prime" is not rooted and mGenerator.ToUint8Array can gc. Please just use JS::Rooted<JSObject*> to store the return values of all your ToUint8Array calls, like so: JS::Rooted<JSObject*> exponent(aCx, mPublicExponent.ToUint8Array(aCx)); Also, once an allocation fails, you need to return without trying to do more allocations: at this point an exception is pending on aCx and trying to do more work on it is not ok. That means if !prime you need to return before trying to create generator. r=me with those two issues fixed.
Attachment #8775287 -
Flags: review?(bzbarsky) → review+
Pushed by ttaubert@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/2b89d0c341aa Check for success when calling ToKeyAlgorithm() r=bz
|
||
Comment 5•8 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/2b89d0c341aa
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•