Closed Bug 1325381 Opened 7 years ago Closed 7 years ago

waitUntil() crashes on null-deref when called on script constructed ExtendableEvent()

Categories

(Core :: DOM: Service Workers, defect)

Product:
Core
Component:
DOM: Service Workers
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla53
Tracking Flags:
Tracking Status
firefox-esr45 --- unaffected
firefox50 --- unaffected
firefox51 --- unaffected
firefox52 --- unaffected
firefox53 --- fixed

People

(Reporter: bkelly, Assigned: catalinb)

References

Details

(Keywords: crash, regression)

Crash Data

Attachments

(1 file)

Fix crash with script constructed ExtendableEvent().waitUntil().
4.36 KB, patch
bkelly
: review+
Details | Diff | Splinter Review 
To reproduce, run this in a ServiceWorker script in nightly:

  let e = new ExtendableEvent('foo');
  e.waitUntil(new Promise());

This crashes because mExtensionsHandler is nullptr for script created events, but we try to access it here:

https://dxr.mozilla.org/mozilla-central/source/dom/workers/ServiceWorkerEvents.cpp#919

I don't believe this is a sec bug because its a null-deref accessed through a RefPtr<> which does a safe crash.

Catalin, can you take a look at this?  We should fix in FF53 and add a test case for it.
Flags: needinfo?(catalin.badea392)
Keywords: crash, regression
I'll write a patch.
Assignee: nobody → catalin.badea392
Flags: needinfo?(catalin.badea392)
Spec issue to clarify that this sort of thing shouldn't keep the SW alive:

https://github.com/w3c/ServiceWorker/issues/1040
Sorry, to reproduce crash you need a slightly different example:

```
  let e = new ExtendableEvent('foo');
  e.waitUntil(new Promise(resolve => { }));
```

My previous code was dying on the undefined function passed to the Promise constructor.
Status: NEW → ASSIGNED
Comment on attachment 8821273 [details] [diff] [review]
Fix crash with script constructed ExtendableEvent().waitUntil().

Review of attachment 8821273 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks.  I'll mention in the github issue we are going to throw InvalidStateError in this case.  Seems the more conservative thing to do here.
Attachment #8821273 - Flags: review?(bkelly) → review+
Version: unspecified → Trunk
Ben, you wanna land this before Catalin gets back?
Flags: needinfo?(bkelly)
Crash Signature: mozilla::dom::workers::ExtendableEvent::WaitUntil → [@ mozilla::dom::workers::ExtendableEvent::WaitUntil]
I think it can wait until Catalin gets back.
Flags: needinfo?(bkelly)
From my prespective it can wait - I have a workaround in place and watch this bug every now and then and will test without that workaround once it has landed.
Pushed by ryanvm@gmail.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/920ef0f4af89
Fix crash with script constructed ExtendableEvent().waitUntil(). r=bkelly
Keywords: checkin-needed
https://hg.mozilla.org/mozilla-central/rev/920ef0f4af89
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
status-firefox53: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla53
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: