Closed
Bug 1325381
Opened 7 years ago
Closed 7 years ago
waitUntil() crashes on null-deref when called on script constructed ExtendableEvent()
Categories
(Core :: DOM: Service Workers, defect)
Core
DOM: Service Workers
Tracking
()
RESOLVED
FIXED
mozilla53
Tracking | Status | |
---|---|---|
firefox-esr45 | --- | unaffected |
firefox50 | --- | unaffected |
firefox51 | --- | unaffected |
firefox52 | --- | unaffected |
firefox53 | --- | fixed |
People
(Reporter: bkelly, Assigned: catalinb)
References
Details
(Keywords: crash, regression)
Crash Data
Attachments
(1 file)
4.36 KB,
patch
|
bkelly
:
review+
|
Details | Diff | Splinter Review |
To reproduce, run this in a ServiceWorker script in nightly: let e = new ExtendableEvent('foo'); e.waitUntil(new Promise()); This crashes because mExtensionsHandler is nullptr for script created events, but we try to access it here: https://dxr.mozilla.org/mozilla-central/source/dom/workers/ServiceWorkerEvents.cpp#919 I don't believe this is a sec bug because its a null-deref accessed through a RefPtr<> which does a safe crash. Catalin, can you take a look at this? We should fix in FF53 and add a test case for it.
Flags: needinfo?(catalin.badea392)
Reporter | ||
Updated•7 years ago
|
Keywords: crash,
regression
Reporter | ||
Comment 1•7 years ago
|
||
Crash reports: https://crash-stats.mozilla.com/report/index/a3ee4c10-b818-4f30-8fdf-358742161221 https://crash-stats.mozilla.com/report/index/7f26e8c0-9aeb-485e-88d9-374cf2161222 Not sure I set the crash signature field properly in the bug.
Assignee | ||
Comment 2•7 years ago
|
||
I'll write a patch.
Assignee: nobody → catalin.badea392
Flags: needinfo?(catalin.badea392)
Reporter | ||
Comment 3•7 years ago
|
||
Spec issue to clarify that this sort of thing shouldn't keep the SW alive: https://github.com/w3c/ServiceWorker/issues/1040
Reporter | ||
Comment 4•7 years ago
|
||
Sorry, to reproduce crash you need a slightly different example: ``` let e = new ExtendableEvent('foo'); e.waitUntil(new Promise(resolve => { })); ``` My previous code was dying on the undefined function passed to the Promise constructor.
Status: NEW → ASSIGNED
Reporter | ||
Updated•7 years ago
|
status-firefox50:
--- → unaffected
status-firefox51:
--- → unaffected
status-firefox52:
--- → unaffected
status-firefox53:
--- → affected
status-firefox-esr45:
--- → unaffected
Assignee | ||
Comment 5•7 years ago
|
||
Attachment #8821273 -
Flags: review?(bkelly)
Reporter | ||
Comment 6•7 years ago
|
||
Comment on attachment 8821273 [details] [diff] [review] Fix crash with script constructed ExtendableEvent().waitUntil(). Review of attachment 8821273 [details] [diff] [review]: ----------------------------------------------------------------- Thanks. I'll mention in the github issue we are going to throw InvalidStateError in this case. Seems the more conservative thing to do here.
Attachment #8821273 -
Flags: review?(bkelly) → review+
Updated•7 years ago
|
Version: unspecified → Trunk
Updated•7 years ago
|
Crash Signature: mozilla::dom::workers::ExtendableEvent::WaitUntil → [@ mozilla::dom::workers::ExtendableEvent::WaitUntil]
Reporter | ||
Comment 8•7 years ago
|
||
I think it can wait until Catalin gets back.
Flags: needinfo?(bkelly)
From my prespective it can wait - I have a workaround in place and watch this bug every now and then and will test without that workaround once it has landed.
Assignee | ||
Comment 10•7 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=d20990107a3ff1ed53f2a90677d3f5719d9a9136
Keywords: checkin-needed
Comment 12•7 years ago
|
||
Pushed by ryanvm@gmail.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/920ef0f4af89 Fix crash with script constructed ExtendableEvent().waitUntil(). r=bkelly
Keywords: checkin-needed
Comment 13•7 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/920ef0f4af89
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in
before you can comment on or make changes to this bug.
Description
•