1752332 - Expand the pref-syncing-to-subprocesses blocklist to dynamic preferences

Status: RESOLVED FIXED

(Core :: Preferences: Backend, enhancement, P1)

Comment 1

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: WIP: Bug 1752332: Do not sync dynamic preferences to subprocesses

Depends on D137149

Comment 2

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Add in a sanitize property for prefs, and only serialize the user value if we're not sanitized r?kriswright

We want to eventually crash if a blocklisted preference
is accessed. In order to do this, we do need to
populate the preference in the pref hashmap of the
subprocess; otherwise when we look up a blocklisted
pref we will just not find anything. We could try to
put the blocklist check at that point; but this won't
work for StaticPrefs; we'd also need to put the blocklist
check there.

Performing a list iteration and string comparison on
every Static Pref call is not acceptable when we can
just populate a bit and check it.

Depends on D137149

Comment 3

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Rename references to parent-only pref structures r?kriswright

We're going to be using them in more contexts, so generalize
the name.

Depends on D138679

Comment 4

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Move ShouldSyncPreferences to Preferences module r?kriswright

While we do so, also add a boolean argument to indicate
if we are in a Content process or some other type of
subprocess, which I expect we will need later.

Depends on D138680

Comment 5

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Rename ShouldSyncPreference to ShouldSanitizePreference r?kriswright

This simplifies the number of negations needed,
and makes things easy to understand. I think
anyway; I know that without renaming it I made
several annoying-to-diagnose negation errors...

Depends on D138681

Comment 6

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Remove browser.startup from blocklist r?kriswright

browser.startup.homepage.abouthome_cache.enabled is accessed
in content processes it turns out.

Depends on D138682

Comment 7

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Remove the blocklisting check in ::OnPreferenceChange r?kriswright

Now that we send everything (except sometimes the user value
is sanitized) we should no longer perform this check.

This is also good because it eliminates security code you
have to have (and thus accidently omitting it is a
vulnerability) and changes it to security code that happens
automatically, and is enforced by the compiler (via mandatory
ctor argument.)

Depends on D138683

Comment 8

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Improve the blocklisting behavior r?kriswright

We sanitize a preference (when sending from the parent
process) if it is in the blocklist, or if does not
have a Default value (i.e. it is dynamically named).
There is an exception list for dynamically named
preferences we know we need though.

In subprocesses, we know if a preference was sanitized
by checking its Sanitized bit.

Depends on D138684

Comment 9

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Crash if a pref is accessed that shouldn't be r?kriswright

Depends on D138685

Comment 10

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Add preferences that control whether we send user data and/or crash r?kriswright

Depends on D138686

Comment 11

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Do not sanitize anything for non-content processes r?kriswright

For now we are not concerned about other utility processes
so we will give them all a pass.

Depends on D138687

Comment 12

[Andrew McCreight [:mccr8]]

C++ preferences changes are likely going to be the Core::Preferences module, not the Desktop Firefox::Preferences module. Kris Wright could review these patches.

Comment 13

[Hsin-Yi Tsai (she/her) [:hsinyi]]

I'm suggesting P1 as this is a blocker for removal spectre mitigations.

Comment 14

[Andrew McCreight [:mccr8]]

Also, I think a more precise bugzilla component for changes under modules/libpref/ is Core::Preferences::Backend. (I haven't looked at all of the patches so I don't know if there are any changes here to the frontend part of the preferences code.)

Comment 15

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

All this behavior is off-by-default, so I'm going to try to land it and then let a few people opt-in for testing.

Comment 16

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/1a875dc06058
Add in a sanitize property for prefs, and only serialize the user value if we're not sanitized r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/26796b527442
Rename references to parent-only pref structures r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/be908bb7a985
Move ShouldSyncPreferences to Preferences module r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/8de253223dbc
Rename ShouldSyncPreference to ShouldSanitizePreference r=necko-reviewers,KrisWright,dragana
https://hg.mozilla.org/integration/autoland/rev/b10197a1ed67
Remove browser.startup from blocklist r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/a8832dc94d1b
Remove the blocklisting check in ::OnPreferenceChange r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/593e5e138927
Improve the blocklisting behavior r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/e8b2a80aa796
Crash if a pref is accessed that shouldn't be r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/7fb5f0cc44f6
Add preferences that control whether we send user data and/or crash r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/5c475692133f
Do not sanitize anything for non-content processes r=KrisWright

Comment 17

[Narcis Beleuzu [:NarcisB]]

Backed out for bc failures on browser_preferences_usage.js

Backout link: https://hg.mozilla.org/integration/autoland/rev/a21551df7a4225ebf3b5bd6d0813453fd77f160a
Log link: https://treeherder.mozilla.org/logviewer?job_id=368966613&repo=autoland&lineNumber=4602

Comment 18

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332 - Optimize the crash checks in Check*Value functions r?kriswright

We busted browser_preferences_usage.js by looking up a
preference too many times.

I think that the reason we are now exceeding the pref-reading
limit for this pref is that the new HasDefaultValue function
does a pref lookup that counts against the limit.
ShouldSanitizePreference calls HasDefaultValue.

We can optimize the code to avoid that extra pref lookup; at
the expense of externalizing some of the logic of
ShouldSanitizePreference into the callsites. We do this and
add comments indicating that if things change in the future,
both need to be updated.

Comment 19

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Add a sanitized property to prefs r?kriswright

Comment 20

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Rename references to parent-only pref structures r?kriswright

We're going to be using them in more contexts, so generalize
the name.

Comment 21

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Move ShouldSyncPreferences to Preferences module r?kriswright

Depends on D141409

Comment 22

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Tell ShouldSyncPreference if the destination is a web content process r?kriswright

A couple places where it might be a web content process
still pass 'false' - this will be corrected in a later
patch.

Depends on D141410

Comment 23

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Rename ShouldSyncPreference to ShouldSanitizePreference r?kriswright

This simplifies the number of negations needed,
and makes things easy to understand. I think
anyway; I know that without renaming it I made
several annoying-to-diagnose negation errors...

Depends on D141411

Comment 24

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Correctly populate the sanitized bit for PreferenceUpdate r?kriswright

PreferenceUpdate is the IPC message notifying a child process
that a preference has been updated. To correctly decide whether
or not a value should be sanitized in it, we need to know
what type of destination process it is; we add parameters to
Preferences::GetPreference indicating that.

Inside of ToDomPref we call ShouldSanitizePreference to
correctly populate the sanitized bit.

Depends on D141412

Comment 25

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Remove some prefs from the blocklist r?kriswright

Depends on D141413

Comment 26

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Remove the blocklisting check in ::OnPreferenceChange r?kriswright

Now that we send everything (except sometimes the user value
is sanitized) we should no longer perform this check.

This is also good because it eliminates security code you
have to have (and thus accidently omitting it is a
vulnerability) and changes it to security code that happens
automatically, and is enforced by the compiler (via mandatory
ctor argument.)

Depends on D141414

Comment 27

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Make SerializePreferences correctly sanitize preferences r?kriswright

To do the correct thing in Preferences::SerializePreferences
(which is used during subprocess startup) we need to know if
the destination process is a web content process or not.
We add parameters to
SharedPreferenceSerializer::SerializeToSharedMemory that let
us figure that out.

In Preferences::SerializePreferences we fix the call to
aShouldSanitizeFn to pass the correct destination.

Depends on D141415

Comment 28

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Improve the blocklisting behavior r?kriswright

For all subprocesses, if a preference is in the blocklist,
sanitize it. (This preserves the IPC optimization behavior,
kind of. We now generate IPC traffic when we didn't before,
but we omit the value. Values were previously capped at 4 KiB
now they're 0 bytes.)

For Web Content processes, we sanitize a preference if it is
in the blocklist, or if does not have a Default value (i.e.
it is dynamically named). There is an exception list for
dynamically named preferences we know we need though.

In subprocesses, we know if a preference was sanitized
by checking its Sanitized bit.

Depends on D141416

Comment 29

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Crash if a pref is accessed that shouldn't be r?kriswright

Depends on D141417

Comment 30

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Add preferences that control whether we send user data and/or crash r?kriswright

Depends on D141418

Comment 31

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Remove the shouldSanitizeFunction member r?kriswright

In the following patch we are going to change the signature of
ShouldSanitizePreference to take a Pref object. Pref is only
known to the Preferences compilation unit; so to keep this member
(whose signature will change) we would need to expose the Pref
class. However it will only be a forward declaration, one could
not construct a Pref object in e.g. the gtest.

It is simpler to just remove the member entirely and call
ShouldSanitizePreference unconditionally - the member was only
used for the gtest, and while the gtest will be less robust
because of this change, it will still do some testing.

Depends on D141419

Comment 32

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Optimize the crash checks in Check*Value functions r?kriswright

We busted browser_preferences_usage.js by looking up a
preference too many times.

The reason we are now exceeding the pref-reading limit for
this pref is that inside ShouldSanitizePreference all of
our calls to Preferences::Something(pref_name) are causing
pref lookups. Most of the time when we are in
ShouldSanitizePreference, we got there from a place that has
the actual pref object; so change the function to take in a
Pref object.

Unfortunately, there is a place we do need to look it up
by name, and that's in Static Pref getters, so we need to
keep that function around (and expose it in Preferences.h)

To minimize code duplication (i.e. not having the exact same
code for ShouldSanitizePreference(Pref) and
ShouldSanitizePreference(PrefWrapper) we do some templating
tricks because even though they expose the same API, they are
not in a class hierarchy where we could just make one function
for a base class.

Depends on D141420

Comment 33

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Sanitize preferences in the shared memory region r?kriswright

Before we would stick all prefs into an immutable shared memory
region and clear our HashMap.

Now we will stick all non-sanitized prefs into the immutable
shared memory region, save the sanitized prefs in a list
temporarily, clear the hashmap, and then repopulate the hashmap
with the sanitized prefs.

As a bit of underlying complexity, to do this we must do some
tricks with the Pref Name Arena which is a chunk of memory
dedicated to storing pref names. That goes away (and we want to
wipe it to save space) - so we just need to move the sanitized
pref names to a new arena.

Depends on D141421

Comment 34

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Update the preferences documentation r?kriswright

Depends on D141422

Comment 35

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

If anyone ever ends up here in the future doing bug archaeology; https://bugzilla.mozilla.org/show_bug.cgi?id=1751936#c9 and below are relevant to understanding how the above patches came about.

Comment 36

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Alright; I rebased and fixed a few issues that popped up and got a try run where all the failures seemed to be intermittents...

Comment 37

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/4944ae34f15b
Add a sanitized property to prefs r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/deadcb975866
Rename references to parent-only pref structures r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/9dfd530f26b8
Move ShouldSyncPreferences to Preferences module r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/185026a397b0
Tell ShouldSyncPreference if the destination is a web content process r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/ce809df435e1
Rename ShouldSyncPreference to ShouldSanitizePreference r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/22c6c04046b1
Correctly populate the sanitized bit for PreferenceUpdate r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/01ca344dedbf
Remove some prefs from the blocklist r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/26707a82d896
Remove the blocklisting check in ::OnPreferenceChange r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/061cdf612d0e
Make SerializePreferences correctly sanitize preferences r=KrisWright,necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/d72dc14eeafd
Improve the blocklisting behavior r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/ab5c00d2fb02
Crash if a pref is accessed that shouldn't be r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/52f6b46250a3
Add preferences that control whether we send user data and/or crash r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/258d19fe4e28
Remove the shouldSanitizeFunction member r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/d37dec5c0d9e
Optimize the crash checks in Check*Value functions r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/10ac6886fa5e
Sanitize preferences in the shared memory region r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/ec6a5f016318
Update the preferences documentation r=KrisWright

Comment 38

[Cristian Tuns]

Backed out for causing multiple failures on StaticPrefList_media.h

• Backout link
• Push with failures
• Failure Log
• Failure line: Assertion failure: ((bool)(__builtin_expect(!!(!NS_FAILED_impl(rv)), 1))), at /builds/worker/workspace/obj-build/dist/include/mozilla/StaticPrefList_media.h:260

Comment 39

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Okay; I believe that's fixed...

Comment 40

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e40a778cb93f
Add a sanitized property to prefs r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/1b4d316e7f20
Rename references to parent-only pref structures r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/ef50d2618c7f
Move ShouldSyncPreferences to Preferences module r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/eec507d87b2b
Tell ShouldSyncPreference if the destination is a web content process r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/8566711743a8
Rename ShouldSyncPreference to ShouldSanitizePreference r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/4b04bf33486e
Correctly populate the sanitized bit for PreferenceUpdate r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/a74095dfe3da
Remove some prefs from the blocklist r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/21f015b60220
Remove the blocklisting check in ::OnPreferenceChange r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/2b78f295d903
Make SerializePreferences correctly sanitize preferences r=KrisWright,necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/1bc4f1780f37
Improve the blocklisting behavior r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/c184c517de91
Crash if a pref is accessed that shouldn't be r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/aeb79413e987
Add preferences that control whether we send user data and/or crash r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/5b9bbe252fec
Remove the shouldSanitizeFunction member r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/7d159898e81d
Optimize the crash checks in Check*Value functions r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/8d2932869cbd
Sanitize preferences in the shared memory region r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/2523f5463789
Update the preferences documentation r=KrisWright

Comment 41

[Cristian Tuns]

Backed out for causing gtest failures.

• Backout link
• Push with failures
• Failure Log
• Failure line: TEST-UNEXPECTED-FAIL | PrefsBasics.Serialize | Expected: (nullptr) != (strstr(str.Data(), "S-S:36/media.gmp-manager.certs.1.commonName")), actual: (nullptr) vs NULL @ /builds/worker/checkouts/gecko/modules/libpref/test/gtest/Basics.cpp:54

Comment 42

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

okay, fixed, try run's green, let's try again.

Comment 43

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/3ce1d0529b34
Add a sanitized property to prefs r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/ce9e1254e82f
Rename references to parent-only pref structures r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/2dadbfd0b1d7
Move ShouldSyncPreferences to Preferences module r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/0e70bf8ca3e4
Tell ShouldSyncPreference if the destination is a web content process r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/61b6a151b215
Rename ShouldSyncPreference to ShouldSanitizePreference r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/f48f4c1b0784
Correctly populate the sanitized bit for PreferenceUpdate r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/e5d5d24b0f3b
Remove some prefs from the blocklist r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/fe8f3e1c43b0
Remove the blocklisting check in ::OnPreferenceChange r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/322bbf59820a
Make SerializePreferences correctly sanitize preferences r=KrisWright,necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/6320b4b3d12d
Improve the blocklisting behavior r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/33fb4d7c0f3c
Crash if a pref is accessed that shouldn't be r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/1e3858df144d
Add preferences that control whether we send user data and/or crash r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/1ca918455158
Remove the shouldSanitizeFunction member r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/c9c556d2f676
Optimize the crash checks in Check*Value functions r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/090719a92e33
Sanitize preferences in the shared memory region r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/1e57c99c133b
Update the preferences documentation r=KrisWright

Comment 44

[Cosmin Sabou [:CosminS]]

Backed out for causing unrooted hazard failures.

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&resultStatus=pending%2Crunning%2Csuccess%2Ctestfailed%2Cbusted%2Cexception%2Cusercancel&searchStr=linux%2Cx64%2Cdebug%2Chazard-linux64-haz%2Fdebug%2Ch&fromchange=90163c3d84b39fa0aefa75549eab716dafe759fe&tochange=7851294d88abe8f88a3e4d52b09cfc55b8bfaa33&selectedTaskRun=UAB06aGCR8y5AW0pyeMVsA.0

Failure log: https://treeherder.mozilla.org/logviewer?job_id=375341706&repo=autoland

Backout link: https://hg.mozilla.org/integration/autoland/rev/63fc025d4d908e0aa8e48cc7be4196b5d0e35b60

Comment 45

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Attachment: Bug 1752332: Suppress Hazard warnings due to hash table function pointers r?sfink

Depends on D141423

Comment 46

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Giving another try at landing this

Comment 47

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a2d5880b528f
Add a sanitized property to prefs r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/b580c2a3bac0
Rename references to parent-only pref structures r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/a89203990075
Move ShouldSyncPreferences to Preferences module r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/d2e748ccd01c
Tell ShouldSyncPreference if the destination is a web content process r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/22b910308ecd
Rename ShouldSyncPreference to ShouldSanitizePreference r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/d165042105ea
Correctly populate the sanitized bit for PreferenceUpdate r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/ce93b08837d2
Remove some prefs from the blocklist r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/3e60b77153a3
Remove the blocklisting check in ::OnPreferenceChange r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/dd02b8ef0219
Make SerializePreferences correctly sanitize preferences r=KrisWright,necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/f9d6bc72406f
Improve the blocklisting behavior r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/e1dcb4c7cb88
Crash if a pref is accessed that shouldn't be r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/46ea5b4f9ad3
Add preferences that control whether we send user data and/or crash r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/1ff8656b362d
Remove the shouldSanitizeFunction member r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/022a68e8d603
Optimize the crash checks in Check*Value functions r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/69cbec3e9a11
Sanitize preferences in the shared memory region r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/2d794b61fbf7
Update the preferences documentation r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/eaa4213b9e08
Suppress Hazard warnings due to hash table function pointers r=sfink

Comment 48

[Atila Butkovits]

Backed out for causing crashes at JS::AutoAssertNoGC::AutoAssertNoGC(JSContext*).

Backout link: https://hg.mozilla.org/integration/autoland/rev/d3c93cbf97d19ea79104f697cd3c8e3028b92b33

Push with failures: https://treeherder.mozilla.org/jobs?repo=autoland&resultStatus=testfailed%2Cbusted%2Cexception%2Cretry%2Cusercancel&revision=eaa4213b9e08455979861b31f1b8dd8f78afead5&selectedTaskRun=bTJNczhzS5OOMicXToFvKg.0

Failure log:
https://treeherder.mozilla.org/logviewer?job_id=375676599&repo=autoland&lineNumber=4505
https://treeherder.mozilla.org/logviewer?job_id=375676599&repo=autoland&lineNumber=4505
https://treeherder.mozilla.org/logviewer?job_id=375677114&repo=autoland&lineNumber=17335

Comment 49

[Tom Ritter [:tjr] (OOTO until 4/30 at least)]

Once Bug 1766381 lands, I can reland this.

Comment 50

[Pulsebot]

Pushed by tritter@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/e9f0c59af60a
Add a sanitized property to prefs r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/f920aa7e10ee
Rename references to parent-only pref structures r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/a8c7a3fb8979
Move ShouldSyncPreferences to Preferences module r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/2645ce66e4eb
Tell ShouldSyncPreference if the destination is a web content process r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/bfe9ec21265d
Rename ShouldSyncPreference to ShouldSanitizePreference r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/674d21f5ef9c
Correctly populate the sanitized bit for PreferenceUpdate r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/c4005c136bc8
Remove some prefs from the blocklist r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/baf63e3988b3
Remove the blocklisting check in ::OnPreferenceChange r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/0547ca4f6396
Make SerializePreferences correctly sanitize preferences r=KrisWright,necko-reviewers,dragana
https://hg.mozilla.org/integration/autoland/rev/e08344bb3e98
Improve the blocklisting behavior r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/ab581def9c6a
Crash if a pref is accessed that shouldn't be r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/eafd5e87610f
Add preferences that control whether we send user data and/or crash r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/b7d958f0b034
Remove the shouldSanitizeFunction member r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/4610f070c355
Optimize the crash checks in Check*Value functions r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/0c2e8586a0c9
Sanitize preferences in the shared memory region r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/d7155101cf54
Update the preferences documentation r=KrisWright
https://hg.mozilla.org/integration/autoland/rev/6e78cd06efbc
Suppress Hazard warnings due to hash table function pointers r=sfink

Comment 51

[Andreea Pavel [:apavel]]

https://hg.mozilla.org/mozilla-central/rev/e9f0c59af60a
https://hg.mozilla.org/mozilla-central/rev/f920aa7e10ee
https://hg.mozilla.org/mozilla-central/rev/a8c7a3fb8979
https://hg.mozilla.org/mozilla-central/rev/2645ce66e4eb
https://hg.mozilla.org/mozilla-central/rev/bfe9ec21265d
https://hg.mozilla.org/mozilla-central/rev/674d21f5ef9c
https://hg.mozilla.org/mozilla-central/rev/c4005c136bc8
https://hg.mozilla.org/mozilla-central/rev/baf63e3988b3
https://hg.mozilla.org/mozilla-central/rev/0547ca4f6396
https://hg.mozilla.org/mozilla-central/rev/e08344bb3e98
https://hg.mozilla.org/mozilla-central/rev/ab581def9c6a
https://hg.mozilla.org/mozilla-central/rev/eafd5e87610f
https://hg.mozilla.org/mozilla-central/rev/b7d958f0b034
https://hg.mozilla.org/mozilla-central/rev/4610f070c355
https://hg.mozilla.org/mozilla-central/rev/0c2e8586a0c9
https://hg.mozilla.org/mozilla-central/rev/d7155101cf54
https://hg.mozilla.org/mozilla-central/rev/6e78cd06efbc