APZCTreeManager::PrepareNodeForLayer creates a AsyncPanZoomController but doesn't store it in an owning RefPtr
Categories
(Core :: Panning and Zooming, defect)
Tracking
()
People
(Reporter: dholbert, Assigned: botond)
Details
(Keywords: sec-other, Whiteboard: [adv-main120-])
Attachments
(1 file)
While poking around AsyncPanZoomController lifetime to try to understand bug 1853246, I noticed a case where we create an AsyncPanZoomController instance without putting it in an owning RefPtr (or otherwise ensuring that it has a nonzero refcount). This could create dangerous situations; if its refcount is left at zero, then it's "unstable" in the sense that any temporary RefPtr stack-variable that it happens to get stored in (e.g. buried in some helper function somewhere) will destroy the object when that temporary goes out of scope.
Here's what I'm looking at in particular:
https://searchfox.org/mozilla-central/rev/d436104fc6c31677b08a851796bead25153be699/gfx/layers/apz/src/APZCTreeManager.cpp#1158,1229
AsyncPanZoomController* apzc = nullptr;
...
apzc = NewAPZCInstance(aLayersId, geckoContentController);
That call to NewAPZCInstance() is just a wrapper for new AsyncPanZoomController, which probably returns an object with zero refcount (as all refcounted objects start out), which expects to be stored in an owning reference in order to keep it reliably alive.
botond, could you take a look here? I'm not sure what object eventually gets an owning reference[1] to the freshly-allocated apzc, but maybe we should make that ownership-transfer a bit more immediate/explicit right after construction? (We might want to make NewAPZCInstance to return an already_AddRefed type to nudge the caller to take ownership immediately, too).
Alternately/also, maybe the local variable apzc should be a RefPtr; but that's potentially unnecessary for cases where we're not freshly allocating. And it'd probably be unnecessary for this case where we are freshly allocating, too, if we get the object to its owner ASAP.
[1] side note RE persistent references to this object: in some cases this fresh apzc might be kept alive by its own mGestureEventListener member (which has a RefPtr back to it and hence gives it a refcount of 1 instead of 0, for as long as mGestureEventListener is alive); but it also might not, since in some cases we leave its mGestureEventListener member-var unset. From a quick skim of this code, I'm not sure what else, if anything, ends up with an owning reference to it.
|
Assignee | |
Comment 1•2 years ago
|
||
Thanks for the analysis. I don't think there's an actual lifetime issue here, as the HitTestingTreeNode takes ownership of the AsyncPanZoomController pretty promptly on this line, but we can make that more explicit in the code.
|
|
Assignee | |
Comment 2•2 years ago
|
||
|
||
Comment 3•2 years ago
|
||
sec-other based on comment 1: keeping hidden while we continue to audit similar code to bug 1853246
|
||
Comment 5•2 years ago
|
||
|
||
Updated•2 years ago
|
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 6•1 year ago
|
||
Bulk-unhiding security bugs fixed in Firefox 119-121 (Fall 2023). Use "moo-doctrine-subsidy" to filter
Description
•