Closed Bug 1839621 Opened 2 years ago Closed 2 months ago

Remove raw pointers for Notification codes.

Categories

(Core :: DOM: Notifications, defect, P2)

Product:
Core
Component:
DOM: Notifications
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1931497

People

(Reporter: edenchuang, Assigned: edenchuang)

References

Details

Attachments

(1 file)

WIP: Bug 1839621 - P1 remove CheckedUnsafePtr<WorkerPrivate> in Notification code. r=#dom-worker-reviewers
48 bytes, text/x-phabricator-request
Details | Review

https://searchfox.org/mozilla-central/search?q=symbol:T_mozilla%3A%3Adom%3A%3ANotification&redirect=false

After WorkerRunnable refactoring (bug 1800659) landed, some assumptions are not valid anymore. Raw pointers in Notification codes could cause the problem and need to be fixed.

Severity: -- → S3
Priority: -- → P2

Assuming this is about replacing Notification* with RefPtr<Notification>.

Keywords: good-first-bug

It is a little bit more complicated than just replacing Notification* with RefPtr<Notification>

The root cause is the Notification code assumes that all NotificationWorkerRunnables execute Cancel() After a StrongWorkerRef gets a worker shutdown notification. And NotificationWorkerRunnable::Cancel() does nothing.

However, after bug 1800659, instead of calling Cancel(), call WorkerRun() to release resources. And NotificationWorkerRunnable::WorkerRun() could access some already released resources during WorkerRef::Notify(). So we meet UAF/Crash on these resources accessing.
This means the Notification code does not guarantee that NotificatiionWorkerRunnable's lifecycle is covered by a StrongWorkerRef. The StrongWorkerRef is freed too early in the Notification code.

Bug 1839231 and bug 1850843 change the NotificationWorkerRunnable's behavior to keep it doing nothing once the StrongWorkerRef is released by checking passed in WorkerPrivate's status. However, we should make the Notification code follow the Worker life-cycle policy(Always ensure the WorkerRunnable's life-cycle is covered by a StrongWorkerRef)

Replacing Notification* with RefPtr<Notification> should be one of the goals of this bug.

Keywords: good-first-bug

Thanks, that sounds like this needs one who is sufficiently expert in workers and runnables, are you going to work on this in the near future or do you want me to take a look?

Flags: needinfo?(echuang)

Thanks for asking, I will work on it.

Flags: needinfo?(echuang)

Thanks!

Assignee: nobody → echuang

Eden thinks this may allow removing NotificationRef.

Blocks: 1880300
Component: DOM: Push Subscriptions → DOM: Notifications

Or maybe bug 1894231 will cover this? 👀

Blocks: 1894231

Fixed by bug 1931497.

Status: NEW → RESOLVED
Closed: 2 months ago
Duplicate of bug: 1931497
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: