Closed Bug 1291142 Opened 7 years ago Closed 7 years ago

Make sure that we don't return gray things from access to named or indexed child windows

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla51
Tracking Flags:
Tracking Status
firefox50 --- fixed
firefox51 --- fixed

People

(Reporter: bzbarsky, Assigned: bzbarsky)

References

Details

Attachments

(1 file, 1 obsolete file)

Ensure that we don't return gray objects when getting child windows by name or index
3.80 KB, patch
bholley
: review+
ritu
: approval-mozilla-aurora+
Details | Diff | Splinter Review 
We do FastGetGlobalJSObject, but this doesn't unmark gray....
Attachment #8776820 - Attachment is obsolete: true
Attachment #8776820 - Flags: review?(bobbyholley)
Summary: Make sure that we don't return gray things from access to named or indexed child windows over Xrays → Make sure that we don't return gray things from access to named or indexed child windows
Attachment #8776825 - Flags: review?(bobbyholley) → review+
Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/aa02a3d17d12
Ensure that we don't return gray objects when getting child windows by name or index.  r=bholley
https://hg.mozilla.org/mozilla-central/rev/aa02a3d17d12
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox51: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla51
Comment on attachment 8776825 [details] [diff] [review]
Ensure that we don't return gray objects when getting child windows by name or index

Approval Request Comment
[Feature/regressing bug #]: Incremental CC, found by the assertions in bug 1283634.
[User impact if declined]: Intermittent crashes.
[Describe test coverage new/current, TreeHerder]: It's been on TH for a week and no longer hits the assertions.
[Risks and why]: There was a slow trickle of hard-to-exploit UAF crashes in previous branches caused by missing ExposeToActiveJS barriers in a few places. We added an assertion that catches these in bug 1283634. We'd like to uplift the fixes to Aurora to solve the crashes 6 weeks earlier than we otherwise might. The impact is relatively low, but the patches are also extremely simple and low risk. Aurora seems like the right balance here.
[String/UUID change made/needed]: None.
Attachment #8776825 - Flags: approval-mozilla-aurora?
Comment on attachment 8776825 [details] [diff] [review]
Ensure that we don't return gray objects when getting child windows by name or index

Crash fix, has stabilized on Nightly for a few weeks, Aurora50+
Attachment #8776825 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in before you can comment on or make changes to this bug.