Closed Bug 1387334 Opened 8 years ago Closed 3 years ago

stop exposing startProfiling, stopProfiling etc. and getMaxGCPauseSinceClear, clearMaxGCPauseAccumulator to content

Categories

(Core :: DOM: Core & HTML, enhancement, P2)

Product:
Core
Component:
DOM: Core & HTML
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
103 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- disabled
firefox-esr102 --- disabled
firefox101 --- disabled
firefox102 --- disabled
firefox103 --- fixed

People

(Reporter: freddy, Assigned: mccr8)

Details

(Keywords: sec-moderate, Whiteboard: [Affects Nightly and other MOZ_PROFILING builds][secdom:patch])

Attachments

(1 file)

Bug 1387334 - Don't call JS_DefineProfilingFunctions in CreateGlobal.
48 bytes, text/x-phabricator-request
Details | Review
These functions should not be exposed to content: > startProfiling > stopProfiling > pauseProfilers > resumeProfilers > dumpProfile > getMaxGCPauseSinceClear > clearMaxGCPauseAccumulator Bug 1386801 contains some of the discussion around this already, but is mostly about having a test that detects these errors.
Group: core-security → javascript-core-security
Keywords: sec-moderate
Whiteboard: Affects Nightly and other MOZ_PROFILING builds
Priority: -- → P3
Sorry, we mis-triaged this when it was originally filed. The fix is to move or remove these: https://searchfox.org/mozilla-central/source/dom/base/nsJSEnvironment.cpp#1125 https://searchfox.org/mozilla-central/source/dom/workers/RegisterBindings.cpp#38 Bouncing back to DOM.
Group: javascript-core-security → core-security
Component: JavaScript Engine → DOM
Flags: needinfo?(bzbarsky)
Priority: P3 → --
I'm not sure I follow. The start/stopProfiling things are intended to be used from performance testcases. Those are not run as system, hence they must be enabled in non-system globals if we're going to be enabling them at all anywhere. dumpProfile shouldn't be exposed in non-system globals. But in the current world, that decision needs to be made inside SpiderMonkey, not DOM. DOM doesn't have a way to define start/stopProfiling without defining dumpProfile at the moment. So what exactly is the request here? Fixing SpiderMonkey so we can define start/stopProfiling without defining dumpProfile? Removing all this stuff altogether? Something else?
Flags: needinfo?(jorendorff)
Flags: needinfo?(fbraun)
Flags: needinfo?(bzbarsky)
This stuff dates back to before e10s and before Gecko profiler. ni?bz to test whether it even still works. <bz> If not, then this is easy <bz> We just remove it <jorendorff> sounds great <bz> If it does work, feels like we should at least check whether anyone uses it (Honestly, it sounds to me as though we're going to end up removing it either way.)
Flags: needinfo?(jorendorff)
Flags: needinfo?(fbraun)
Flags: needinfo?(bzbarsky)
OK. So on Mac, startProfiling/stopProfiling do in fact work (at least on OS 10.12, which is where I tested). The first call to startProfiling() prompts for an administrator password to allow dtrace to connect to the process. So it's not like a web page can just trigger that. stopProfiling writes out profile data to a caller-supplied directory name under /tmp. That said, this only works if I manually change the security sandbox level from the default one; in the default configuration the sandbox kills the content process when it tries to do file access. It does look like this can get hit even if the password was never given for startProfiling (so there isn't actually profile data to write out). I have to admit, modulo the "have to twiddle the sandbox flags" thing the result is really nice, allowing very targeted profiling, unlike the Gecko profiler. While I was looking at this stuff, dumpProfile (which was the security worry in bug 1386801) only does something #ifdef MOZ_CALLGRIND which I am pretty sure is not a default configuration.
Flags: needinfo?(bzbarsky)
So one thing we should consider is not defining the various MOZ_PROFILING bits unless compiling with a (non-default!) compile option that would make them non-noops.
Priority: -- → P2
Group: core-security → dom-core-security
Component: DOM → DOM: Core & HTML
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Assignee: nobody → peterv

JS_DefineProfilingFunctions is called in dom::CreateGlobal, the JS shell, and xpc::InitClassesWithNewWrappedGlobal. Only the first seems to be used for web content. Let's just get rid of the call there. If somebody complains, we can add it back behind an if (false) or something. It seems absurd to keep shipping this without any evidence that anybody actually cares about it.

Assignee: peterv → continuation

In the modern age of the Gecko Profiler, surely nobody is using this.

Whiteboard: Affects Nightly and other MOZ_PROFILING builds → [Affects Nightly and other MOZ_PROFILING builds][secdom:patch]

FWIW, I accidentally pushed this patch to try.

Don't call JS_DefineProfilingFunctions in CreateGlobal. r=peterv
https://hg.mozilla.org/integration/autoland/rev/57fad07090a4c5b37531f276b8ca6da5d857969b
https://hg.mozilla.org/mozilla-central/rev/57fad07090a4

Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
status-firefox103: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 103 Branch

I think MOZ_PROFILING is only defined on Nightly, so there's no need to backport this.

status-firefox101: --- → wontfix
status-firefox102: --- → wontfix
status-firefox-esr102: --- → wontfix
status-firefox-esr91: --- → wontfix
QA Whiteboard: [post-critsmash-triage]
Flags: qe-verify-
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: