Closed
Bug 1516691
Opened 5 years ago
Closed 5 years ago
Consider making the following a release assertion: xpc::IsInContentXBLScope(obj) || !xpc::UseContentXBLScope(JS::GetObjectRealmOrNull(obj)), at src/dom/base/nsINode.cpp:2664
Categories
(Core :: DOM: Core & HTML, defect, P2)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla67
People
(Reporter: Alex_Gaynor, Assigned: Alex_Gaynor)
References
Details
(Keywords: sec-want, Whiteboard: [adv-main67-])
Attachments
(1 file)
Bug 1516289 is the Nth iteration we have of hitting this debug assertion. When it's hit, it generally indicates a sec-high issue as I understand it. We should consider making this a release assert, which will render this condition unexploitable, and also assist in discovering bugs where we violate it. I did a try run of this, results here: https://treeherder.mozilla.org/perf.html#/compare?originalProject=mozilla-central&newProject=try&newRevision=825144742ca907dc082b5d8f547fde631dc9c7c5&framework=1&showOnlyComparable=1&selectedTimeRange=172800 There are two negative results in the >2% range, both of which are Windows10-64bit only. There are a handful of other medium confidence results which are not large. Emilio was concerned that we might not have any talos benchmarks that would catch this; :bz, do you know if that's the case? Assuming we do have benchmarks that'd catch a regression caused by this change, do the results seem reasonable to land?
|
Assignee | |
Updated•5 years ago
|
Flags: needinfo?(bzbarsky)
|
||
Comment 1•5 years ago
|
||
Apart from maybe dromaeo I don't think we have fine-grained DOM performance benchmarks. Do we even still run dromaeo on talos? People kept wanting to turn it off... If we do run it, you'd need to look at the specific subtests that would hit this code (i.e. ones that would involve returning nodes to JS). Another interesting question is this: given the on-the-chopping-block status of content XBL scopes, will this assert even stick around in current form for much longer?
Flags: needinfo?(bzbarsky)
|
||
Updated•5 years ago
|
Priority: -- → P2
|
|
Assignee | |
Comment 2•5 years ago
|
||
Looking at the dromaeo DOM subtests: https://treeherder.mozilla.org/perf.html#/comparesubtest?originalProject=mozilla-central&newProject=try&newRevision=825144742ca907dc082b5d8f547fde631dc9c7c5&originalSignature=91ee66e069fdeb63f2aaabf8b4cff8451273c461&newSignature=91ee66e069fdeb63f2aaabf8b4cff8451273c461&framework=1&selectedTimeRange=172800
They only seem to run on Linux, there are small regresionss, from 0-4%, all at low confidence (with the noise metric way up).
Emilio, do you know about whether this assert will still exist with the demise of content XBL?
|
|
Assignee | |
Comment 3•5 years ago
|
||
It looks like https://hg.mozilla.org/mozilla-central/rev/9f776274089a changed this assert slightly.
Is it still security sensitive?
Flags: needinfo?(emilio)
|
|
Assignee | |
Comment 5•5 years ago
|
||
Ok, I'll rebase then.
|
|
Assignee | |
Comment 6•5 years ago
|
||
|
|
Assignee | |
Updated•5 years ago
|
Keywords: checkin-needed
|
|
||
Comment 7•5 years ago
|
||
Keywords: checkin-needed
|
||
Comment 8•5 years ago
|
||
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox67:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
|
||
Updated•5 years ago
|
status-firefox65:
--- → wontfix
status-firefox-esr60:
--- → wontfix
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
|
||
Updated•5 years ago
|
Flags: qe-verify-
|
||
Updated•5 years ago
|
Whiteboard: [adv-main67-]
|
||
Updated•4 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•