Port latest changes to MOZ_CAN_RUN_SCRIPT from bug 1533293
Categories
(MailNews Core :: General, enhancement)
Tracking
(Not tracked)
People
(Reporter: jorgk-bmo, Assigned: jorgk-bmo)
References
(Blocks 1 open bug)
Details
Attachments
(6 files, 5 obsolete files)
6.97 KB,
patch
|
Details | Diff | Splinter Review | |
873 bytes,
patch
|
jorgk-bmo
:
review+
|
Details | Diff | Splinter Review |
6.33 KB,
patch
|
Details | Diff | Splinter Review | |
4.40 KB,
patch
|
Details | Diff | Splinter Review | |
1.40 KB,
patch
|
BenB
:
review+
|
Details | Diff | Splinter Review |
5.89 KB,
patch
|
Details | Diff | Splinter Review |
/builds/worker/workspace/build/src/comm/mailnews/compose/src/nsMsgCompose.cpp:755:9: error: functions marked as MOZ_CAN_RUN_SCRIPT can only be called from functions also marked as MOZ_CAN_RUN_SCRIPT
/builds/worker/workspace/build/src/comm/mailnews/compose/src/nsMsgCompose.cpp:757:9: error: functions marked as MOZ_CAN_RUN_SCRIPT can only be called from functions also marked as MOZ_CAN_RUN_SCRIPT
/builds/worker/workspace/build/src/comm/mailnews/compose/src/nsMsgCompose.cpp:932:9: error: arguments must all be strong refs or parent parameters when calling a function marked as MOZ_CAN_RUN_SCRIPT (including the implicit object argument)
/builds/worker/workspace/build/src/comm/mailnews/compose/src/nsMsgCompose.cpp:932:9: error: functions marked as MOZ_CAN_RUN_SCRIPT can only be called from functions also marked as MOZ_CAN_RUN_SCRIPT
Boris and Emilio, we're seeing frequent bustage due to changes in MOZ_CAN_RUN_SCRIPT
. Can you please give me a guideline of needs to be done.
Since this is only seen when compiling in automation and not locally on Windows, it's a particularly cumbersome process to fix this bustage.
We have a few MOZ_CAN_RUN_SCRIPT
in C-C now:
https://searchfox.org/comm-central/search?q=MOZ_CAN_RUN_SCRIPT&case=true®exp=false&path=mailnews%2F
and here:
https://searchfox.org/comm-central/search?q=can_run_script&case=true®exp=false&path=mailnews%2F
I can't even see the M-C bug that caused it in this range:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=e0861be8d6c0&tochange=9421b477d67c
Assignee | ||
Comment 1•5 years ago
|
||
Found it, plenty of new MOZ_CAN_RUN_SCRIPT
in the three changesets in bug 1533293.
Assignee | ||
Comment 2•5 years ago
|
||
No idea whether [can_run_script] and [noscript] are compatible:
https://hg.mozilla.org/try-comm-central/rev/047aa0b40d0f926dde7c83b56cbc7ecff602fd13#l1.12
If I understand it correctly, one says whether you can call the function from JS and the other whether the function itself can call into JS?
See bug 1534575 comment #7 for Ben's take on this.
Comment 3•5 years ago
|
||
I do wonder why it isn't showing except for on automation. I just rebuild locally on linux and it went fine. Is there some flag that enables this check?
Assignee | ||
Comment 4•5 years ago
|
||
See bug 1534575 comment #7. Ben looked into it.
Assignee | ||
Comment 5•5 years ago
|
||
Comment 6•5 years ago
|
||
(In reply to Jorg K (GMT+1) from comment #0)
Boris and Emilio, we're seeing frequent bustage due to changes in
MOZ_CAN_RUN_SCRIPT
. Can you please give me a guideline of needs to be done.Since this is only seen when compiling in automation and not locally on Windows, it's a particularly cumbersome process to fix this bustage.
You need to build with --enable-clang-plugin to see these. Generally what needs to be done is:
- Annotate any caller to a MOZ_CAN_RUN_SCRIPT function as MOZ_CAN_RUN_SCRIPT.
- Ensure callers to MOZ_CAN_RUN_SCRIPT functions hold a strong reference to their arguments.
Assignee | ||
Comment 7•5 years ago
|
||
OK, I'll try this locally. As you can see, I had to stick MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION
onto QuotingOutputStreamListener::OnStopRequest
since that calls convertAndLoadComposeWindow
. That brings me to the question: What has to happen in an IDL file. I already had to add it here:
https://hg.mozilla.org/comm-central/rev/f79b60fb833f19ca091c9f209f40ad453c991546#l1.12
but we don't control the IDL that declares OnStopRequest
so how is that going to work?
That's exactly happened here now:
/builds/worker/workspace/build/src/comm/mailnews/compose/src/nsMsgCompose.cpp:2468:30: error: functions marked as MOZ_CAN_RUN_SCRIPT cannot override functions that are not marked MOZ_CAN_RUN_SCRIPT
I'm not sure what went wrong here now:
/builds/worker/workspace/build/src/comm/mailnews/compose/src/nsMsgCompose.cpp:4606:15: error: functions marked as MOZ_CAN_RUN_SCRIPT cannot override functions that are not marked MOZ_CAN_RUN_SCRIPT
And sorry about the ignorance, what is a "strong reference"?
Comment 8•5 years ago
|
||
Regarding the error and 932, you should keep a strong reference to the editor, so:
Should become:
nsCOMPtr<nsIEditor> editor(m_editor);
editor->...
I don't think you need to change the OnStopRequest IDL file, but ICBW, boris would know.
Re. BuildBodyMessageAndSignature, it should probably be marked as CAN_RUN_SCRIPT.
A strong reference is a RefPtr / nsCOMPtr variable on the stack.
Assignee | ||
Comment 9•5 years ago
|
||
Yes, we definitely have the dilemma that we're calling a MOZ_CAN_RUN_SCRIPT
function from OnStopRequest
:-(
2:49.10 c:/mozilla-source/comm-central/comm/mailnews/compose/src/nsMsgCompose.cpp(3011,7): error: functions marked as MOZ_CAN_RUN_SCRIPT can only be called from functions also marked as MOZ_CAN_RUN_SCRIPT
2:49.10 compose->ConvertAndLoadComposeWindow(mCitePrefix,
2:49.10 ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2:49.10 c:/mozilla-source/comm-central/comm/mailnews/compose/src/nsMsgCompose.h(165,5): note: caller function declared here
2:49.10 NS_DECL_NSIREQUESTOBSERVER
2:49.10 ^
2:49.10 c:/mozilla-source/comm-central/obj-x86_64-pc-mingw32/dist/include/nsIRequestObserver.h(47,14): note: expanded from macro 'NS_DECL_NSIREQUESTOBSERVER'
2:49.10 NS_IMETHOD OnStopRequest(nsIRequest *aRequest, nsresult aStatusCode) override;
2:49.10 ^
2:49.14 3 errors generated.
If I put this
MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION NS_IMETHODIMP
QuotingOutputStreamListener::OnStopRequest(nsIRequest *request, nsresult status)
back then I get:
0:24.61 JS_HAZ_CAN_RUN_SCRIPT NS_IMETHOD OnStopRequest(nsIRequest *aRequest, nsresult aStatusCode) = 0;
0:24.61 ^
0:24.61 c:/mozilla-source/comm-central/comm/mailnews/compose/src/nsMsgCompose.cpp(4606,15): error: functions marked as MOZ_CAN_RUN_SCRIPT cannot override functions that are not marked MOZ_CAN_RUN_SCRIPT
So that seems like a lost cause.
Assignee | ||
Updated•5 years ago
|
Comment 10•5 years ago
|
||
Ah, I see... We should probably be annotation all the functions annotated with JS_HAZ_CAN_RUN_SCRIPT with MOZ_CAN_RUN_SCRIPT as well. That may take a bit, let me look into that.
You should be able to work around it by moving OnStopRequest to call something like OnStopRequestInternal, and annotate that one with MOZ_CAN_RUN_SCRIPT_BOUNDARY.
Assignee | ||
Comment 11•5 years ago
|
||
Let's see whether that stuff can be disabled:
https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=525910f74c2cec31f03ee5689f4a3d6781245628
Assignee | ||
Comment 12•5 years ago
|
||
This fixesmailnews/compose/src/nsMsgCompose.cpp but still lots of errors in mailnews/jsaccount/src/:
0:15.02 c:/mozilla-source/comm-central/comm/mailnews/jsaccount/src/JaCompose.h(70,32): error: arguments must all be strong refs or parent parameters when calling a function marked as MOZ_CAN_RUN_SCRIPT (including the implicit object argument)
0:15.02 NS_FORWARD_NSIMSGCOMPOSE(mFakeThis->JaBaseCppCompose::)
Looks like mFakeThis
needs to be turned into a strong reference, no idea how with all that macro magic. I have to take a break.
Comment 13•5 years ago
|
||
--disable-clang-plugin doesn't appear to be a thing. What matters is ENABLE_CLANG_PLUGIN
Comment 14•5 years ago
•
|
||
Can you please give me a guideline of needs to be done
Generally speaking, see the documentation at https://searchfox.org/mozilla-central/rev/4763b8d576ce52625d245d1ab6d9404ea025b026/build/clang-plugin/CanRunScriptChecker.cpp#6-44
You want to make sure the code is following the rules described there.
Since this is only seen when compiling in automation and not locally on Windows
Does adding --enable-clang-plugin to your mozconfig work on Windows, by any chance? That's what automation is doing, to run the analysis at build time. This worked for me out of the box on Mac, with a lot of pain (had to compile my own clang) on Linux. Not sure what the Windows situation is...
If I understand it correctly, one says whether you can call the function from JS and the other whether the function itself can call into JS?
That's correct.
but we don't control the IDL that declares OnStopRequest so how is that going to work?
Not well-documented (and perhaps not intended, but still true) is that you can annotate a definition with MOZ_CAN_RUN_SCRIPT_BOUNDARY. That is probably the right path here. File an m-c bug to annotate the OnStopRequest IDL with [can_run_script], annotate your thing MOZ_CAN_RUN_SCRIPT_BOUNDARY with a comment pointing to the m-c bug.
We should probably be annotation all the functions annotated with JS_HAZ_CAN_RUN_SCRIPT with MOZ_CAN_RUN_SCRIPT
That's tracked in bug 1534292, fwiw. Timeframe: extremely uncertain, if ever. ;)
Looks like mFakeThis needs to be turned into a strong reference
Given the structure of the NS_FORWARD_NSIMSGCOMPOSE macro, I think you should be able to do:
NS_FORWARD_NSIMSGCOMPOSE(RefPtr<JaCppComposeDelegator> fakeThis(mFakeThis); fakeThis->>JaBaseCppCompose::)
or so. That said, I don't understand how this code is supposed to work at all, at first glance; mFakeThis is refcounted but we're not holding a ref to it. We just set the raw pointer in the constructor and never null it out. Looks pretty scary to me. :(
Assignee | ||
Comment 15•5 years ago
|
||
Thanks for all the comments. Yes, --enable-clang-plugin
works on Windows. I tried your suggestion
NS_FORWARD_NSIMSGCOMPOSE(RefPtr<JaCppComposeDelegator> fakeThis(mFakeThis);
fakeThis->JaBaseCppCompose::)
and that doesn't compile:
0:11.24 c:/mozilla-source/comm-central/comm/mailnews/jsaccount/src/JaCompose.h(70,62): error: expected '(' for function-style cast or type construction
0:11.24 NS_FORWARD_NSIMSGCOMPOSE(RefPtr<JaCppComposeDelegator> fakeThis(mFakeThis);
0:11.24 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ^
0:11.24 c:/mozilla-source/comm-central/obj-x86_64-pc-mingw32/dist/include\nsIMsgCompose.h(562,126): note: expanded from macro 'NS_FORWARD_NSIMSGCOMPOSE'
That's most likely due to the tricky macro expansion that doesn't take to statements.
Comment 16•5 years ago
|
||
This disabling seems to have worked on linux.
Comment 17•5 years ago
|
||
Does it help if you do:
#define WHATEVER RefPtr<JaCppComposeDelegator> fakeThis(mFakeThis); fakeThis->JaBaseCppCompose::
NS_FORWARD_NSIMSGCOMPOSE(WHATEVER)
?
Assignee | ||
Comment 18•5 years ago
|
||
Comment on attachment 9051745 [details] [diff] [review] bug1536047_disable_clang_plugin.patch How would I tell whether this works on Windows? The try run https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=38adf24a130758759f7fbb512d9d79927c90255e busted Mach but that might be related to the other hunks.
Assignee | ||
Comment 19•5 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #17)
Does it help if you do:
#define WHATEVER RefPtr<JaCppComposeDelegator> fakeThis(mFakeThis); fakeThis->JaBaseCppCompose:: NS_FORWARD_NSIMSGCOMPOSE(WHATEVER)
Sadly not.
Assignee | ||
Updated•5 years ago
|
Comment 20•5 years ago
|
||
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/58d5b2195fc8 Port bug 1533293: Add some MOZ_CAN_RUN_SCRIPT to nsMsgCompose.cpp. rs=bustage-fix https://hg.mozilla.org/comm-central/rev/063e8f6bc499 Temporarily disable MOZ_CAN_RUN_SCRIPT checking. r=jorgk
Assignee | ||
Comment 21•5 years ago
|
||
I've landed that now since our merges are happening soon and it would be nice to merge something that actually compiles.
Assignee | ||
Comment 22•5 years ago
|
||
Comment on attachment 9051678 [details] [diff] [review] 1536047-MOZ_CAN_RUN_SCRIPT.patch - WIP That fixes the issues in compose, Ben, I'll leave the JS Account macro magic to you, you've already done a good job here: https://hg.mozilla.org/comm-central/rev/93daa9a87d52 I could swear I had already disabled JS Account once since I couldn't get it to compile, but now I can't find any trace of it. For the record, it's removing it from mailnews/moz.build and removing all references in mailnews/build/nsMailModule.cpp.
Assignee | ||
Comment 23•5 years ago
|
||
Comment on attachment 9051745 [details] [diff] [review] bug1536047_disable_clang_plugin.patch Haha, fixes Linux but not Windows. On Windows you're now seeing the JS Account errors.
Assignee | ||
Comment 24•5 years ago
|
||
I've done a bit of digging. NS_FORWARD_NSIMSGCOMPOSE
in defined in nsIMsgCompose.h which is generated from the IDL:
#define NS_FORWARD_NSIMSGCOMPOSE(_to) \
NS_IMETHOD Initialize(nsIMsgComposeParams *aParams, mozIDOMWindowProxy *aWindow, nsIDocShell *aDocShell) override { return _to Initialize(aParams, aWindow, aDocShell); } \
NS_IMETHOD SetDocumentCharset(const char * charset) override { return _to SetDocumentCharset(charset); } \
We see how the _to
argument is used. Looks like we can't squeeze our
RefPtr<JaCppComposeDelegator> fakeThis(mFakeThis); fakeThis->JaBaseCppCompose::
in there.
Assignee | ||
Comment 25•5 years ago
•
|
||
BenB, can you check how to get this going again? If BenC doesn't find a solution here, I will have to [edit: disable] JS Account for the sake of compiling TB. We're also planning on doing a TB 67 beta sometime soon now.
Assignee | ||
Comment 26•5 years ago
|
||
Let's see whether disabling work on Windows like it works on Mac:
https://treeherder.mozilla.org/#/jobs?repo=try-comm-central&revision=01765988d1c3497ca3cef8705f3d8b9060e4269e
See: https://searchfox.org/comm-central/search?q=disable-clang-plugin&case=true®exp=false&path=
https://searchfox.org/comm-central/rev/1ed80b150864c0b6e953d3d76ca6e45b6753f3c6/mail/config/mozconfigs/macosx64/debug#22
Comment 27•5 years ago
|
||
Oh, it's got the "return" bit in there, I see.
So I think you have a few options:
-
Hand-code the relevant bits instead of using the macro. Basically hand-expand the macro. It's a bit annoying, because there are lots of methods on nsIMsgCompose.
-
Try writing it like this:
NS_FORWARD_NSIMSGCOMPOSE(RefPtr<JaCppComposeDelegator>(mFakeThis)->JaBaseCppCompose::)
or if that compiles but fails the MOZ_CAN_RUN_SCRIPT analysis, then like this:
NS_FORWARD_NSIMSGCOMPOSE(MOZ_KnownLive(RefPtr<JaCppComposeDelegator>(mFakeThis))->JaBaseCppCompose::)
with a comment about how the MOZ_KnownLive is a workaround for the analysis not realizing the nsCOMPtr has stack lifetime. And maybe file a bug on the analysis for the latter.
Assignee | ||
Comment 28•5 years ago
|
||
None of the options in No. 2 compiles :-(
Comment 29•5 years ago
|
||
None of the options in No. 2 compiles :-(
OK, with what errors?
Assignee | ||
Comment 30•5 years ago
|
||
Sorry, it compiles but fails the analysis.
Assignee | ||
Comment 31•5 years ago
|
||
2.1 says:
0:13.33 c:/mozilla-source/comm-central/comm/mailnews/jsaccount/src/JaCompose.h(49,40): error: arguments must all be strong refs or parent parameters when calling a function marked as MOZ_CAN_RUN_SCRIPT (including the implicit object argument)
0:13.33 NS_FORWARD_NSIMSGCOMPOSE(DELEGATE_JS(mJsIMsgCompose, mMethods, mCppBase)->)
0:13.34 ^
Assignee | ||
Comment 32•5 years ago
|
||
Umm, that's a different error now, moved to line 49.
Assignee | ||
Comment 33•5 years ago
|
||
Umm, this still doesn't compile, I get:
0:09.80 In file included from c:/mozilla-source/comm-central/comm/mailnews/jsaccount/src/JaCompose.cpp:7:
0:09.80 c:/mozilla-source/comm-central/comm/mailnews/jsaccount/src/JaCompose.h(50,55): error: expected unqualified-id
0:09.80 (DELEGATE_JS(mJsIMsgCompose, mMethods, mCppBase)->))
Comment 34•5 years ago
|
||
Oh, well, yes. I was talking about the mFakeThis usage.
For the DELEGATE_JS usage, how did you write it, exactly? I'd expect you would need something like this:
NS_FORWARD_NSIMSGCOMPOSE(nsCOMPtr<nsIMsgCompose>(DELEGATE_JS(mJsIAbDirectory, mMethods, mCppBase))->)
or if that is still failing the analysis (per latter part of comment 27), then:
NS_FORWARD_NSIMSGCOMPOSE(MOZ_KnownLive(nsCOMPtr<nsIMsgCompose>(DELEGATE_JS(mJsIAbDirectory, mMethods, mCppBase)))->)
Assignee | ||
Comment 35•5 years ago
|
||
Sorry, Boris, I did a silly copy/paste, trying your version now.
Comment 36•5 years ago
|
||
You can't store the result of DELEGATE_JS in a RefPtr<JaCppComposeDelegator>, because it's totally not that type. It's either a nsCOMPtr<nsIMsgCompose> from mJsIMsgCompose or a nsCOMPtr<nsIMsgCompose> from mCppBase...
Assignee | ||
Comment 37•5 years ago
|
||
Indeed, as I said, silly copy/paste error.
error: no matching function for call to 'MOZ_KnownLive' :-(
Comment 38•5 years ago
|
||
error: no matching function for call to 'MOZ_KnownLive' :-(
Did you include "mozilla/StaticAnalysisFunctions.h" ?
Assignee | ||
Comment 39•5 years ago
|
||
I did before and it gave the same error. Including it now, I also get:
0:11.61 c:/mozilla-source/comm-central/obj-x86_64-pc-mingw32/dist/include\mozilla/StaticAnalysisFunctions.h(35,29): note: candidate template ignored: could not match 'T ' against 'nsCOMPtr<nsIMsgCompose>'
0:11.61 static MOZ_ALWAYS_INLINE T MOZ_KnownLive(T* ptr) {
Comment 40•5 years ago
|
||
Hmm. Does it help to add an rvalue overload of MOZ_KnownLive (i.e. add a version that takes T&& ref
and returns std::forward<T>(ref)
to return a T&&)?
Comment 41•5 years ago
|
||
BenB, can you check who to get this going again?
I should checked who?
I will have to JS Account
Parse error: "JS Account" is not a verb?
What's your exact problem that you (still, after bz's responses) need solved?
Definition of MOZ_CAN_RUN_SCRIPT: https://hg.mozilla.org/mozilla-central/rev/37761497b6c1
Based on that definition, a lot of TB functions would need this flag, because JsAccount allows core TB functions to be implemented in JS, so their base classes need that flag, and all callers of these functions need that flag, which probably means that half of TB needs it, because most of TB will at some point call mail folder functions or send mail.
bz, JsAccount is a feature of Thunderbird that allows a mail account type (like IMAP and SMTP) to be implemented in JavaScript.
Updated•5 years ago
|
Comment 42•5 years ago
|
||
Right, so if/when bug 1534292 happens that will become an issue.
But for the moment, the problem is just that Thunderbird is calling into editor methods that can run script and that those are annotated with MOZ_CAN_RUN_SCRIPT. The fix on the thunderbird side is to add MOZ_CAN_RUN_SCRIPT and/or MOZ_CAN_RUN_SCRIPT_BOUNDARY annotations sufficient to make things compile, then ideally have a long-term plan for getting rid of the MOZ_CAN_RUN_SCRIPT_BOUNDARY bits. And separately, it may be desirable to start annotating the JsAccount bits as [can_run_script] in IDL and fixing stuff piecemeal instead of waiting for bug 1534292 to break the world. ;)
Assignee | ||
Comment 43•5 years ago
|
||
Here's another variation, I'm calling it a day. Over to the night shift.
Assignee | ||
Comment 44•5 years ago
|
||
Sorry, multiple typos that turned into grammar errors:
BenB, can you check how to get this going again? If BenC doesn't find a solution here, I will have to disable JS Account for the sake of compiling TB.
Comment 45•5 years ago
|
||
Comment on attachment 9051678 [details] [diff] [review] 1536047-MOZ_CAN_RUN_SCRIPT.patch - WIP Review of attachment 9051678 [details] [diff] [review]: ----------------------------------------------------------------- My take on the MOZ_ macros (reading https://searchfox.org/mozilla-central/source/mfbt/Attributes.h) is that usually they should be applied at the function declaration rather than the definition... I could be wrong on that, but that's my assumption for the comments below. (I'm syncing and building right now, but then I'll look at the jsaccount stuff. I can try a version of this patch with the macros moved to the header files too if you'd like) I'll leave the r? for now - if I'm wrong then I can flip it to r+ :-) ::: mailnews/compose/src/nsMsgCompose.cpp @@ +612,5 @@ > } > } > } > > +MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION NS_IMETHODIMP Should be MOZ_CAN_RUN_SCRIPT on declaration in nsMsgCompose.h instead of here? @@ +1635,5 @@ > // (it did the loadURI that triggered editor creation) > // It is called from JS after editor creation > // (loadURI is done in JS) > +MOZ_CAN_RUN_SCRIPT_FOR_DEFINITION NS_IMETHODIMP > +nsMsgCompose::InitEditor(nsIEditor* aEditor, mozIDOMWindowProxy* aContentWindow) Should be MOZ_CAN_RUN_SCRIPT on declaration in nsMsgCompose.h instead of here? @@ +2472,5 @@ > + return OnStopRequestInternal(request,status); > +} > + > +MOZ_CAN_RUN_SCRIPT_BOUNDARY nsresult > +QuotingOutputStreamListener::OnStopRequestInternal(nsIRequest *request, nsresult status) Should be MOZ_CAN_RUN_SCRIPT_BOUNDARY on declaration in nsMsgCompose.h instead of here? @@ +4609,5 @@ > PR_Free(preopen); > return NS_OK; > } > > +MOZ_CAN_RUN_SCRIPT nsresult Should be on declaration in nsMsgCompose.h instead of here? ::: mailnews/compose/src/nsMsgCompose.h @@ +175,5 @@ > NS_IMETHOD AppendToMsgBody(const nsCString &inStr); > > private: > virtual ~QuotingOutputStreamListener(); > + nsresult OnStopRequestInternal(nsIRequest *request, nsresult status); should have MOZ_CAN_RUN_SCRIPT_BOUNDARY here on OnStopRequestInternal declaration?
Assignee | ||
Comment 46•5 years ago
•
|
||
Sorry, but the functions/methods are defined in the IDL and don't appear in the .h file. The only one where the comment applies is OnStopRequestInternal
.
Let's not worry about the fine print here right now. If the JS Account stuff can't be made to compile within in the next 10 hours, I will disable it.
Comment 47•5 years ago
|
||
Just to be clear, if the goal is just "get stuff compiling ASAP", then I don't understand all the work being done here. Just find the places that are calling the functions that are now MOZ_CAN_RUN_SCRIPT in m-c, annotate those callers with MOZ_CAN_RUN_SCRIPT_BOUNDARY, make those specific calls comply with the MOZ_CAN_RUN_SCRIPT rules, check that in, and file a followup bug to do more work in terms of moving the MOZ_CAN_RUN_SCRIPT_BOUNDARY frontier further out, etc.
Basically, every place you have MOZ_CAN_RUN_SCRIPT_BOUNDARY is a potential security bug, but it's not any worse than it was yesterday in terms of the actual security situation; now you just know about them...
Comment 48•5 years ago
•
|
||
Couldn't even get the static analysis running locally today.
Had a bit of a poke about but my understanding of the attributes and mozilla-can-run-scripts test is still a bit lacking.
I thought that if we tagged all the delegate function implementation with MOZ_CAN_RUN_SCRIPT_BOUNDARY, then they'd be OK calling the real MOZ_CAN_RUN_SCRIPT functions, but no.
Maybe disable the jsaccount stuff and I'll have another crack at it tomorrow?
I need to read through the mozilla-can-run-scripts code and get a proper grasp of what it's doing.
Also, where are the NS_FORWARD_* macros generated? They're not in the .idl file, so it seems to be part of the .idl compilation, but it seems like and awfully specific feature...
Comment 49•5 years ago
|
||
Ben, I'd really like to understand what's confusing about the MOZ_CAN_RUN_SCRIPT setup so I can improve the documentation. I'm generally available during work hours US/Eastern and can talk on IRC or video or whatever would work best for you if you'd like...
I need to read through the mozilla-can-run-scripts code and get a proper grasp of what it's doing.
I assume the documentation I linked above does not really answer your questions?
Also, where are the NS_FORWARD_* macros generated?
https://searchfox.org/mozilla-central/rev/7abb9117c8500ed20833746c9f8e800fce3a4688/xpcom/idl-parser/xpidl/header.py#546 and https://searchfox.org/mozilla-central/rev/7abb9117c8500ed20833746c9f8e800fce3a4688/xpcom/idl-parser/xpidl/header.py#581
This is a reasonably commonly used feature in the tree (100+ uses in mozilla-central, certainly).
Comment 50•5 years ago
|
||
Ben, I'd really like to understand what's confusing about the MOZ_CAN_RUN_SCRIPT setup so I can improve the documentation. I'm generally available during work hours US/Eastern and can talk on IRC or video or whatever would work best for you if you'd like...
I need to read through the mozilla-can-run-scripts code and get a proper grasp of what it's doing.
I assume the documentation I linked above does not really answer your questions?
Also, where are the NS_FORWARD_* macros generated?
https://searchfox.org/mozilla-central/rev/7abb9117c8500ed20833746c9f8e800fce3a4688/xpcom/idl-parser/xpidl/header.py#546 and https://searchfox.org/mozilla-central/rev/7abb9117c8500ed20833746c9f8e800fce3a4688/xpcom/idl-parser/xpidl/header.py#581
This is a reasonably commonly used feature in the tree (100+ uses in mozilla-central, certainly).
Assignee | ||
Comment 51•5 years ago
|
||
(In reply to Boris Zbarsky [:bzbarsky, bz on IRC] from comment #47)
Just to be clear, if the goal is just "get stuff compiling ASAP", then I don't understand all the work being done here.
Thanks for your support, Boris. Yes, the aim here is to get up an running again, then we improve the code base later not under bustage-fix pressure.
I followed your suggestion in TB's compose code, but the JS Account stuff with all the macros is just a mystery. Add to that, that I need a working local system to work on other stuff, and enabling ac_add_options --enable-clang-plugin
in the mozconfig and disabling it again causes a recompile of about 30 minutes on one of the fastest machines available in the market. So IOW, it's not fun.
As far as I can see the compile error for JS Account happens on
2:12.90 In file included from c:/mozilla-source/comm-central/comm/mailnews/jsaccount/src/JaCompose.cpp:7
where the include file #include "JaCompose.h"
is included. That in turn creates a lot of code in the "forward macros", and as far as I see, the code in those macros would need to be decorated with MOZ_CAN_RUN_SCRIPT_BOUNDARY
. So personally, I cannot implement your suggestion.
Assignee | ||
Comment 52•5 years ago
|
||
This is what is needed to switch off JS Account. It's a pain in nsMailModule.cpp, so I added a #define to make it easier next time.
Comment 53•5 years ago
|
||
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/ca1e6b213293 temporarily switch off JS Account. rs=bustage-fix https://hg.mozilla.org/comm-central/rev/d916bdb4640d Backed out changeset 063e8f6bc499 to re-enable the clang plugin. a=backout
Comment 54•5 years ago
|
||
Pushed by mozilla@jorgk.com: https://hg.mozilla.org/comm-central/rev/dad748b418b7 Follow-up: fix typo in #define. rs=typo-fix DONTBUILD
Assignee | ||
Comment 55•5 years ago
|
||
Geoff tells me that this would have worked if the added code had been lower in the file:
09:59:59 - darktrojan: jorgk, your change is too high up the file https://hg.mozilla.org/try-comm-central/rev/7bdc9d43573166dc4c553247a0cf3d3ca159eae1
10:00:37 - darktrojan: mozconfig.vs-latest calls mozconfig.clang-cl which sets ENABLE_CLANG_PLUGIN=1
We can consider that option if JS Account resists.
Assignee | ||
Comment 56•5 years ago
|
||
OK, so this should work according to Geoff, so let's push this to the beta.
Assignee | ||
Comment 57•5 years ago
|
||
Comment 58•5 years ago
|
||
@JörgK: What's the bug for re-enabling JS Account?
Assignee | ||
Comment 59•5 years ago
|
||
None, we'll re-enable it here after you've sent a patch to fix the compile errors ;-) - But seriously, if we can't get it fixed within a few days, I'll land the beta patch here which disables the analysis. I hear that there will be big bustage coming in bug 1534292 ("to break the world", see comment #42).
Comment 60•5 years ago
|
||
When you disable such a feature, could you please at least file a bug to fix it?
We're currently completely buried just to pay rent, so we won't be able to work on it anytime soon.
Assignee | ||
Comment 61•5 years ago
|
||
I don't know what you gain by filing a bug. I manage the code base very actively and I know that you exist and rely on JS Account. You didn't enter any agreement with the project to maintain it yourself. You also know that the functioning of JS Account is not guaranteed, at least not on Daily. As any other feature, it can go bust any minute. Now, please let me do my work and not waste time on comments like this one.
Comment 62•5 years ago
|
||
but the JS Account stuff with all the macros is just a mystery.
Why is it involved at all? If you put MOZ_CAN_RUN_SCRIPT_BOUNDARY as close as you can to the relevant callsites into Gecko that are now MOZ_CAN_RUN_SCRIPT, the JS Account stuff should not matter in any way, I would think. Or are there JS Account impls of core Gecko interfaces (like editor) that are now MOZ_CAN_RUN_SCRIPT? (I sort of doubt that.)
and enabling ac_add_options --enable-clang-plugin in the mozconfig and disabling it again causes a recompile of about 30 minutes
Uh... why are you doing this? Use two separate mozconfigs with two separate objdirs.
So personally, I cannot implement your suggestion.
I have zero context for this claim. Can you please attach your patch which is having this problem with JS Accounts or point to it if it's already attached to this bug? I really feel like you've somehow painted yourself into a corner with some changes that are not strictly needed to fix the immediate bustage but do require you to disable JS Accounts. For example, I would expect absolutely no .idl changes in a minimal patch that just adds the minimum required MOZ_CAN_RUN_SCRIPT_BOUNDARY annotations. Is that true about your patch?
I hear that there will be big bustage coming in bug 1534292
Just to reiterate:
-
Timeframe there is unknown. I have no concrete plans to work on it in the next month or two, and no one else is planning to either.
-
Disabling the analysis is the ostrich approach to security in this case. The right thing is to fix the issues the analysis uncovers. It may be good to start on that, slowly, before it becomes an emergency if someone does pick up bug 1534292.
Comment 63•5 years ago
|
||
bz, just FYI, JsAccount works by implementing the nsIMsg* TB APIs (nsIMsgFolder, incoming server, message etc.) in C++, and then letting C++ delegate/forward the call to a JS implementation. To add complexity, some of the interface functions remain implemented in C++, only some functions are implemented in JS. And, if I'm not mistaken (not 100% sure), JsAccount also exposes some C++ implementations to JS, so that it can use these as helper functions for important core functions that are implemented in C++. So, there's a quite complex interaction between JS and C++.
This just as background information. I have no idea what part of that is relevant here.
Assignee | ||
Comment 64•5 years ago
•
|
||
Hi Boris, thanks for your continued support. Please note that the TB project has 12 paid staff now. My roll is to keep the show on the road, fixing bustage, releases, regressions, sheriffing, etc. That said, I can't fix everything that breaks alone. I will mostly get it to the point where we can build, tests are mostly green, so others can work. If that means temporary fixes, switching off stuff or tests, so be it. I keep track of it. So I've handed that stuff over to BenC. If he doesn't fix it very quickly, I'll put JS Account back and disable the static analysis, that's working on beta now.
So for now, I won't be making any more attempts or attaching any patches.
What I said in comment #51:
As far as I can see the compile error for JS Account happens on
2:12.90 In file included from c:/mozilla-source/comm-central/comm/mailnews/jsaccount/src/JaCompose.cpp:7
where the include file #include "JaCompose.h"
is included. That in turn creates a lot of code in the "forward macros", and as far as I see, the code those macros create would need to be decorated with MOZ_CAN_RUN_SCRIPT_BOUNDARY
. So personally, I cannot implement your suggestion.
Yes, the preprocessor turns the "forward macros" into what you see in comment #24:
#define NS_FORWARD_NSIMSGCOMPOSE(_to) \
NS_IMETHOD SetDocumentCharset(const char * charset) override { return _to SetDocumentCharset(charset); } \
and the _to
parameter which is substituted by the macro invocation is what the analysis complains about.
So unless I understand it incorrectly, the NS_IMETHOD SetDocumentCharset
would need to receive the MOZ_CAN_RUN_SCRIPT_BOUNDARY
, and that's not possible since it's generated by the macro.
If you put MOZ_CAN_RUN_SCRIPT_BOUNDARY as close as you can to the relevant callsites
into Gecko that are now MOZ_CAN_RUN_SCRIPT, the JS Account stuff should not matter
in any way, I would think. Or are there JS Account impls of core Gecko interfaces
(like editor) that are now MOZ_CAN_RUN_SCRIPT? (I sort of doubt that.)
As I said, I don't see any call sites into Gecko-MOZ_CAN_RUN_SCRIPT functions other than the ones I fixed in our compose code. What appears to be happening is that JS Account somehow now forwards to compose interfaces that have been made MOZ_CAN_RUN_SCRIPT
since they call such Gecko functions. So in a way, yes, JS Account appears to implement MOZ_CAN_RUN_SCRIPT
functions, but not from Gecko, but from Mailnews.
Weren't attachment 9051818 [details] [diff] [review] and attachment 9051830 [details] [diff] [review], which both don't compile, attempts to deliver strong references?
No offence intended, but I won't touch it any more for now. I expect to wake up one morning and find this fixed by BenC who is working from NZ (I'm in Europe, we have 12 hours time difference between the two).
Assignee | ||
Comment 65•5 years ago
|
||
Ben, this one is for you. With two lines you can re-enable JS Account. I intend to leave the #if
stuff in place for the next time we need to disable it.
Comment 66•5 years ago
|
||
The NS_IMETHOD SetDocumentCharset would need to receive the MOZ_CAN_RUN_SCRIPT_BOUNDARY
Why?
Weren't attachment 9051818 [details] [diff] [review] [diff] [review] and attachment 9051830 [details] [diff] [review] [diff] [review], which both don't compile, attempts to deliver strong references?
Yes, but those are all on top of https://bug1536047.bmoattachments.org/attachment.cgi?id=9051678 which is already wrong if you're aiming for a minimal fix, because it's changing .idl. If the issue was that editor->SelectAll() is MOZ_CAN_RUN_SCRIPT (which it is), then marking nsMsgCompose::ConvertAndLoadComposeWindow as MOZ_CAN_RUN_SCRIPT_BOUNDARY and the strong-ref change in https://bug1536047.bmoattachments.org/attachment.cgi?id=9051678 around the "@@ -924,17 +924,18 @@ nsMsgCompose::ConvertAndLoadComposeWindo" bits would have been enough. Similar for other bits where actual calls into editor are happening.
It's probably not going to help any more in this bug, but I am trying to make sure that future changes like this go more smoothly, so trying to make sure you understand exactly what my proposed way of dealing with them is, because I suspect it's a lot less disruptive and painful for everyone involved than what happened here....
Assignee | ||
Comment 67•5 years ago
|
||
Thanks, Boris, the penny has dropped now. I will revert most of the compose changes and only leave MOZ_CAN_RUN_SCRIPT_BOUNDARY
on nsMsgCompose::ConvertAndLoadComposeWindow()
.
I'll file a new bug to put it all back and to fix JS Account.
Assignee | ||
Comment 68•5 years ago
|
||
OK, that reverts most of https://hg.mozilla.org/comm-central/rev/58d5b2195fc8.
Comment 69•5 years ago
|
||
Pushed by mozilla@jorgk.com:
https://hg.mozilla.org/comm-central/rev/e5cad39148cd
Re-enable JS Account. r=me
https://hg.mozilla.org/comm-central/rev/b1b1782857a7
Revert rev 58d5b2195fc8 and only use MOZ_CAN_RUN_SCRIPT_BOUNDARY once in nsMsgCompose.cpp. r=me
Assignee | ||
Comment 70•5 years ago
|
||
Comment on attachment 9051678 [details] [diff] [review] 1536047-MOZ_CAN_RUN_SCRIPT.patch - WIP Nothing to review here, it mostly got backed out apart from the changes in `nsMsgCompose::ConvertAndLoadComposeWindow()`.
Comment 71•5 years ago
|
||
Re-enable JS Account. r=me
Thank you
Comment 72•5 years ago
|
||
Comment on attachment 9052034 [details] [diff] [review] 1536047-re-enable-js-account.patch > Ben, this one is for you. r+
Assignee | ||
Comment 73•5 years ago
|
||
Oh, I meant BenC, to use when fixing the C++ bustage. But we have bug 1536535 for that now.
Assignee | ||
Comment 74•5 years ago
|
||
TB 67 beta, aligned with what we had on TB 68 trunk when this bug here was resolved:
https://hg.mozilla.org/releases/comm-beta/rev/95c94af6564ab3f52ba5e50558d61d5bf352b8ee
https://hg.mozilla.org/releases/comm-beta/rev/43530adfd6da555e8c66d9ede229644c486ea8b9
Description
•