Closed Bug 1886889 Opened 1 year ago Closed 1 year ago

Audit unused message manager message listeners

Categories

(Firefox :: Security, task)

Product:
Firefox
Component:
Security
Type:
task

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: mccr8, Assigned: mccr8)

References

(Depends on 1 open bug)

Details

(Keywords: sec-audit)

Attachments

(3 files)

Bug 1886889 - Log when parent adds message listeners or gets messages.
48 bytes, text/x-phabricator-request
Details | Review
log analyzer script
1.19 KB, text/plain
Details
message manager listeners that don't get messages
2.63 KB, text/plain
Details

One interesting thing about bug 1886852 is that it involves message manager listeners that are completely dead code. We could log when listeners are added and messages are received, in the parent process, do that across a full try push, and hopefully get a small-ish list of potential things to audit. (This could also happen for JS actor messages, but those are much newer and thus less likely to have cruft.)

Attached file log analyzer script

Here's a basic analyzer which will produce a list of listeners that never got anything, and messages where nobody was registered. The latter turned up child-process-shutdown which ContentParent produces but nothing seems to listen to, for whatever that is worth.

Assignee: nobody → continuation

The TLDR is that the non-sessions store ones all have at least SOME test coverage, except for Push:Clear and Push:ReportError.

I filed bug 1887014 about the two Push messages not having coverage.

It might be worth checking whether the various unused messages are actually used in scenarios you'd expect them, eg the JSON viewer save.

Depends on: 1887014
Depends on: 1887230

(In reply to Andrew McCreight [:mccr8] from comment #5)

It might be worth checking whether the various unused messages are actually used in scenarios you'd expect them, eg the JSON viewer save.

bug 1872307 is maybe relevant here. Also potentially bug 1562051 comment 4.

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)
Severity: -- → N/A
Type: defect → task
Flags: needinfo?(sgalich)

There's nothing obviously bad left. This probably isn't going anywhere further at this point.

Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INCOMPLETE
Group: firefox-core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: