Closed Bug 1538622 Opened 5 years ago Closed 5 years ago

StructuredClone out of order when back reference and custom w/r function is involved

Tracking

()

Status:

RESOLVED FIXED

Milestone:

mozilla68

Tracking Flags:

Tracking

Status

firefox68

---

fixed

People

(Reporter: violet.bugreport, Assigned: violet.bugreport)

References

Details

(Keywords: testcase)

Attachments

(2 files)

out-of-order-backreference.html 5 years ago violet.bugreport 729 bytes, text/html		Details
Bug 1538622 - StructuredClone serialize and deserialize should treat back reference consistently 5 years ago violet.bugreport 47 bytes, text/x-phabricator-request		Details \| Review

violet.bugreport

Assignee

Description

•

5 years ago

Attached file out-of-order-backreference.html — Details

Step to reproduce:

Open the attached file. When backreference is involved, the copied data from postMessage() is out of order and even refer to the inner part an irrelevant object.

violet.bugreport

Assignee

Updated

•

5 years ago

Assignee: nobody → violet.bugreport

violet.bugreport

Assignee

Updated

•

5 years ago

Blocks: 1505821

Keywords: testcase

violet.bugreport

Assignee

Comment 1

•

5 years ago

•

Edited

Attached file Bug 1538622 - StructuredClone serialize and deserialize should treat back reference consistently — Details

If an object needs a custom function to |write|, it will be added to |memory|
in |JSStructuredCloneWriter| before calling the custom function. But in
JSStructuredCloneReader::startRead we did the opposite. This will cause
out-of-order if the custom function also writes some objects (e.g.
WriteStructuredCloneImageData). We fix this by keeping the same order in
|startRead|.
|JS_WriteTypedArray| should not call |writeTypedArray| directly, because it
will miss an entry in |memory| for the typed array itself, which is required
by the |readTypedArray| method. We fix this by calling |startWrite| which will
handle this problem.

BugBot [:suhaib / :marco/ :calixte]

Updated

•

5 years ago

Has STR: --- → yes

violet.bugreport

Assignee

Comment 2

•

5 years ago

Hi Jason,

I submitted this patch a few days ago, could you review it? This bug is kind of serious, it will randomly reorder objects after structured clone, which is the cause of an immediate whole browser (not only the tab) crash in bug 1505821.

Since this is my first patch to the JS engine component, I might be choosing reviewer incorrectly. In case I'm wrong, could you point me to the correct reviewer?

Thanks!

Flags: needinfo?(jorendorff)

Jason Orendorff [:jorendorff]

Comment 3

•

5 years ago

You're right, I'm just overwhelmed with reviews right now. (Unfortunately the other person best suited to review this is even more buried.)

I will review this in the next 3 hours though.

Flags: needinfo?(jorendorff)

Jason Orendorff [:jorendorff]

Updated

•

5 years ago

Priority: -- → P1

Pulsebot

Comment 4

•

5 years ago

Pushed by violet.bugreport@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/aca6f427e048
StructuredClone serialize and deserialize should treat back reference consistently r=jorendorff

Cristina Coroiu [:ccoroiu]

Comment 5

•

5 years ago

bugherder

https://hg.mozilla.org/mozilla-central/rev/aca6f427e048

Status: NEW → RESOLVED

Closed: 5 years ago

status-firefox68: --- → fixed

Resolution: --- → FIXED

Target Milestone: --- → mozilla68

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Quick Search

StructuredClone out of order when back reference and custom w/r function is involved

Categories

(Core :: JavaScript Engine, defect, P1)

Tracking

()

People

(Reporter: violet.bugreport, Assigned: violet.bugreport)

References

Details

(Keywords: testcase)

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Updated

Updated

Comment 1

Updated

Comment 2

Comment 3

Updated

Comment 4

Comment 5

Attachment

General

Description

File Name

Content Type