Closed Bug 1356305 Opened 7 years ago Closed 7 years ago

stylo: heap write hazard from Gecko_MatchStringArgPseudo calling InitSystemMetrics

Categories

(Core :: CSS Parsing and Computation, defect, P1)

Product:
Core
Component:
CSS Parsing and Computation
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox55 --- fixed

People

(Reporter: sfink, Assigned: manishearth)

References

Details

Attachments

(1 file)

Bug 1356305 - stylo: Initialize system metrics before traversing
59 bytes, text/x-review-board-request
bholley
: review+
Details 
[24.05s] #50 Analyzing Gecko_MatchStringArgPseudo ...
Error: Variable assignment _ZL14sSystemMetrics$nsCSSRuleProcessor.cpp:nsTArray<nsCOMPtr<nsIAtom> >* sSystemMetrics
Location: _ZL17InitSystemMetricsv$nsCSSRuleProcessor.cpp:uint8 InitSystemMetrics() @ https://searchfox.org/mozilla-central/source/layout/style/nsCSSRuleProcessor.cpp#1069
Stack Trace:
_ZN18nsCSSRuleProcessor15HasSystemMetricEP7nsIAtom$uint8 nsCSSRuleProcessor::HasSystemMetric(nsIAtom*) @ https://searchfox.org/mozilla-central/source/layout/style/nsCSSRuleProcessor.cpp#1216
_ZN18nsCSSRuleProcessor19StringPseudoMatchesEPKN7mozilla3dom7ElementENS0_18CSSPseudoClassTypeEPKDsPK11nsIDocumentbNS0_11EventStatesEbPbSC_$uint8 nsCSSRuleProcessor::StringPseudoMatches(mozilla::dom::Element*, uint8, uint16*, nsIDocument*, uint8, mozilla::EventStates, uint8, uint8*, uint8*) @ https://searchfox.org/mozilla-central/source/layout/style/nsCSSRuleProcessor.cpp#1702 ### SafeArguments: <arg6> <arg7> <arg8>
Gecko_MatchStringArgPseudo @ https://searchfox.org/mozilla-central/source/layout/style/ServoBindings.cpp#586 ### SafeArguments: <arg3>
Assignee: nobody → manishearth
Priority: -- → P1
Comment on attachment 8858178 [details]
Bug 1356305 - stylo: Initialize system metrics before traversing

https://reviewboard.mozilla.org/r/130118/#review132784

r=me with those two fixes.

::: gfx/thebes/gfxUserFontSet.h:178
(Diff revision 2)
>      friend class gfxUserFontEntry;
>      friend class gfxOTSContext;
>  
>  public:
>  
> -    NS_INLINE_DECL_REFCOUNTING(gfxUserFontSet)
> +    NS_INLINE_DECL_THREADSAFE_REFCOUNTING(gfxUserFontSet)

This should go away.

::: layout/style/nsCSSRuleProcessor.cpp:1064
(Diff revision 2)
> -static bool
> -InitSystemMetrics()
> +/* static */ bool
> +nsCSSRuleProcessor::InitSystemMetrics()
>  {
>    NS_ASSERTION(!sSystemMetrics, "already initialized");
>  
>    sSystemMetrics = new nsTArray< nsCOMPtr<nsIAtom> >;
>    NS_ENSURE_TRUE(sSystemMetrics, false);

|new| is infallible now so this whole thing can become a void function.
Attachment #8858178 - Flags: review+
Blocks: 1356458
We can't access prefs from nsLayoutStatics. Doing it in pre traverse instead

https://treeherder.mozilla.org/#/jobs?repo=try&revision=49452e83d081654da49eb413a32135e0c5b3ad56
I changed the way I'm handling this since we can't do pref access in nsLayoutStatics, need re-review.

Also, r?sfink on the analysis change. I don't think I can teach the analysis that we always call this function before traversal. Perhaps I should structure it differently (asserting that sSystemMetrics exists when off main thread)? It seems like the analysis won't understand the assert so I'd need to whitelist it anyway.


https://treeherder.mozilla.org/#/jobs?repo=try&revision=06eb380377e1e7542f6533f3bc5c2aba4823d7bc
Attachment #8858178 - Flags: review?(sphink)
Pushed by manishearth@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/1e269a211fe7
stylo: Initialize system metrics before traversing; r=bholley
Blocks: 1356266
https://hg.mozilla.org/mozilla-central/rev/1e269a211fe7
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: