Closed Bug 1749056 Opened 4 years ago Closed 4 years ago

Missing lock in CheckListenerChain()

Categories

(Core :: DOM: HTML Parser, defect, P2)

defect

Tracking

()

RESOLVED FIXED
99 Branch
Tracking Status
firefox-esr91 --- wontfix
firefox97 --- wontfix
firefox98 --- wontfix
firefox99 --- fixed

People

(Reporter: jesup, Assigned: jesup)

References

(Blocks 1 open bug)

Details

(Keywords: csectype-race, perf-alert, sec-moderate, Whiteboard: [post-critsmash-triage][adv-main99+r])

Attachments

(1 file)

There appears to be a missing lock accessing mDelegate in CheckListenerChain(). Found with clang thread-safety analysis.

Assignee: nobody → rjesup
Status: NEW → ASSIGNED

There's a potential deadlock (ordering) between mDelegateMonitor and nsInputStreamPump here.... ideas?

Flags: needinfo?(hsivonen)
Group: core-security → dom-core-security

Bug 1724101 comment 4 is the reason why there's a mutex instead of an atomic pointer.

That is, the point of the mutex is that it keeps us from destructing the pointee of mDelegate when OnDataAvailable is called on the pointee off-the-main-thread.

Since CheckListenerChain() doesn't operate on the pointee, perhaps we could make the pointer atomic and keep the mutex in general but do the null check in CheckListenerChain() without the mutex relying only on the atomicity, which should be enough for null check even though atomicity isn't enough to hold the pointee alive when calling through the pointer.

Flags: needinfo?(hsivonen)

The severity field is not set for this bug.
:hsinyi, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(htsai)

Feel free to let me know if we should raise the severity level for better tracking.

Severity: -- → S3
Flags: needinfo?(htsai)
Priority: -- → P2
Group: dom-core-security → core-security-release
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 99 Branch
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]

== Change summary for alert #33310 (as of Fri, 18 Feb 2022 06:59:22 GMT) ==

Improvements:

Ratio Test Platform Options Absolute values (old vs new)
85% wikipedia fnbpaint macosx1015-64-shippable-qr fission warm webrender 298.12 -> 43.67
85% wikipedia fnbpaint linux1804-64-shippable-qr fission warm webrender 372.58 -> 55.54
77% wikipedia fnbpaint windows10-64-shippable-qr fission warm webrender 388.50 -> 88.88
70% wikipedia FirstVisualChange linux1804-64-shippable-qr fission warm webrender 406.67 -> 120.00
70% wikipedia ContentfulSpeedIndex linux1804-64-shippable-qr fission warm webrender 407.33 -> 120.58
... ... ... ... ...
2% amazon fcp android-hw-g5-7-0-arm7-shippable-qr warm webrender 439.92 -> 430.21

For up to date results, see: https://treeherder.mozilla.org/perfherder/alerts?id=33310

Keywords: perf-alert
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-main99+r]

This change seems performance-relevant to bug 1726299. Not sure if it's a good idea to say so on that bug while this one remains hidden.

Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: