Closed Bug 292962 Opened 19 years ago Closed 18 years ago

Need to sort out policy on DOM access in cached documents

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.8beta4

People

(Reporter: bzbarsky, Assigned: sicking)

References

Details

(Keywords: fixed1.8, Whiteboard: [ETA ?])

Attachments

(5 files, 5 obsolete files)

Fix remaining issues v2
21.70 KB, patch
bryner
: review+
bryner
: superreview+
Details | Diff | Splinter Review
testcase file 1
417 bytes, text/html
Details
testcase file 2
761 bytes, text/html
Details
testcase file 3
91 bytes, text/html
Details
branch patch with better wording
3.00 KB, patch
asa
: approval1.8rc1+
Details | Diff | Splinter Review 
Specifically, need to figure out what happens on DOM method calls, on DOM
mutations, etc, etc.

Note that the current fastback/bfcache code assumes the DOM won't mutate, and
probably crashes if it does mutate in certain ways (it's holding weak refs to
docshells that are only kept alive by the DOM in question and which can lose the
ref from the DOM if the frame elements are removed).
Blocks: blazinglyfastback
I have a patch in the works for this, needs a bit more testing.
Attached patch patch to fix (obsolete) — Splinter Review 
I had to add the mDocument member because some callsites first calls Destroy()
on the contentviewer before calling SetContentViewer(nsnull) on the SHEntry. In

that case we wouldn't be able to get to the document to remove ourselvs as
observer causing the document to have a dangling pointer once the SHEntry goes
away.

The PLEvent fixes two problems. First of all we don't want to risk dropping the

last reference to the contentviewer during mutation causing the contentviewer
and document to die. Second, calling Destroy on the viewer during mutation
seemed to remove some other documentobservers (probably the presshell). The
notification code can't deal with observers other then the current one being
removed during notification.
Assignee: nobody → bugmail
Status: NEW → ASSIGNED
Attachment #187179 - Flags: superreview?(bryner)
Attachment #187179 - Flags: review?(bryner)
Attachment #187179 - Flags: superreview?(bryner)
Attachment #187179 - Flags: superreview+
Attachment #187179 - Flags: review?(bryner)
Attachment #187179 - Flags: review+
Comment on attachment 187179 [details] [diff] [review]
patch to fix

requesting approval
Attachment #187179 - Flags: approval1.8b3?
Comment on attachment 187179 [details] [diff] [review]
patch to fix

a=chofmann
Attachment #187179 - Flags: approval1.8b3? → approval1.8b3+
checked in
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
Attached file testcase file 1 (obsolete) — 
Just attaching the testcases I used to test this so that they don't get lost
Sorry, that patch doesn't fix the bug as filed.  It fixes the "DOM mutations"
case, but doesn't address "DOM method calls", which is just as big an issue (and
can have security implications unless we've audited every single DOM method to
ensure that things are OK).

If there's a followup bug filed on the remainder of the work here, please feel
free to reresolve this one, but let me know what the new bug is.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
what DOM calls are you reffering to?

I can think of two classes of calls:

1. Pure access methods like getElementsByTagName() and getElementById()
2. Navigational methods like link.click() and form.submit()

1 I don't think is a problem and should be allowed. 2 I thought we had a
separate bug on though I can't find it right now.


You missed at least:

3.  Other calls that use the docshell (not explicitly for navigational
    purposes).  Are these currently enabled in bfcached documents?
4.  Calls that use the presentation (computed style, offset*, scrolling to a 
    particular element, etc, etc).
5.  Event dispatch (really not sure what the behavior should be here).

I can't think of obvious things in category 3, but I wouldn't bet there aren't
any.  For example, some of our security checks require a docshell at the moment.

We need to decide on what the behavior for these should be, and specifically
whether it should differ between documents that are in bfcache and documents
that aren't but have been navigated away from (and if so how).
Looking at the patch in more detail, I'm also a little worried by script that
mutates the old document and then calls history.back().  This will make part of
the back() happen before our PLEvent fires (and part after, if I recall the
control flow for bfcache correctly).  Which means that we would partially
restore a presentation, then get it wiped out, then proceed to do some more
restoring on the same presentation...
Pulling into b4 for investigation.
Target Milestone: --- → mozilla1.8beta4
I'm on this one, i hope to have some code ready this weekend.
Flags: blocking1.8b4+
Whiteboard: [ETA ?]
Any update here?  Triaging for 1.5.
Assignee: bugmail → nobody
Status: REOPENED → NEW
Flags: blocking1.8b5+
Sicking are you still on this?
Assignee: nobody → bugmail
Flags: blocking1.8b5+
Johnny and BZ, it seems Jonas is away. Any chance you guys can tackle this problem?
Not for at least a few weeks in my case.  I'm swamped with existing 1.8b5
blockers (not bfcache dependent) and teaching.
Ok, i'm out of my hole. Back to me.
Jonas, any progress here? Time is short for 1.5.
I've got a mostly working patch, but it needs a bit more testing. Will attach
tomorrow.
Attached patch Fix remaining issues (obsolete) — Splinter Review 
This should take care of the remaining issues I hope. I've beaten this hard and
it seems to behave properly.

While the document is in the bf cache it is unaware of its presshells which
seems to make it behave exactly as a document that doesn't have any
presentation at all.
Attachment #187179 - Attachment is obsolete: true
Attachment #198313 - Flags: superreview?(bryner)
Attachment #198313 - Flags: review?(bryner)
Comment on attachment 198313 [details] [diff] [review]
Fix remaining issues

>--- content/base/src/nsDocument.cpp	24 Sep 2005 18:43:08 -0000	3.585
>+++ content/base/src/nsDocument.cpp	3 Oct 2005 15:06:52 -0000
>@@ -1520,12 +1523,43 @@ nsDocument::GetNumberOfShells() const
> nsIPresShell *
> nsDocument::GetShellAt(PRUint32 aIndex) const
> {
>   return (nsIPresShell*)mPresShells.SafeElementAt(aIndex);
> }
> 
>+nsresult
>+nsDocument::SetShellsHidden(PRBool aHide)
>+{

The two cases in this function do exactly the same thing, just with the
variables reversed.  How about factoring it out:

SwapArrays(nsSmallVoidArray *from, nsSmallVoidArray *to);

On second thought, wouldn't it be a lot easier to just keep a single array,
with a boolean that says whether the shells are hidden, and a getter that
returns null if it's set?  Or were you worried about efficiency of that
approach?


>--- docshell/base/nsDocShell.cpp	23 Sep 2005 18:16:38 -0000	1.745
>+++ docshell/base/nsDocShell.cpp	3 Oct 2005 15:06:59 -0000
>@@ -5402,19 +5402,19 @@ nsDocShell::RestoreFromHistory()
>     // Grab the window state up here so we can pass it to Open.
>     nsCOMPtr<nsISupports> windowState;
>     mLSHE->GetWindowState(getter_AddRefs(windowState));
> 
>     mLSHE->SetWindowState(nsnull);
> 
>-    // Reattach to the window object.
>-    rv = mContentViewer->Open(windowState);
>-
>-    // Now remove it from the cached presentation.
>+    // Remove it from the cached presentation.
>     mLSHE->SetContentViewer(nsnull);
>     mEODForCurrentDocument = PR_FALSE;
> 
>+    // ...and reattach to the window object.
>+    rv = mContentViewer->Open(windowState);
>+

Did one of the changes to SHEntry make this change necessary?


>--- docshell/shistory/src/nsSHEntry.cpp	23 Sep 2005 18:16:39 -0000	1.45
>+++ docshell/shistory/src/nsSHEntry.cpp	3 Oct 2005 15:06:59 -0000
>-
>-  // Ensure that we don't post more then one PLEvent
>-  RemoveDocumentObserver();
>+  else {
>+    // Drop presentation. Also ensures that we don't post more then one
>+    // PLEvent. Only do this if we succeed to post the event since otherwise
>+    // the document could be torn down mid mutation causing crashes.
>+    DropPresentationState();
>+  }
> }

This had me confused for awhile, until I realized that DropPresentationEvent no
longer calls DropPresentationState.  Could you rename it to something a little
clearer, like DestroyViewerEvent?
Attachment #198313 - Flags: superreview?(bryner)
Attachment #198313 - Flags: superreview-
Attachment #198313 - Flags: review?(bryner)
Attachment #198313 - Flags: review-
> On second thought, wouldn't it be a lot easier to just keep a single array,
> with a boolean that says whether the shells are hidden, and a getter that
> returns null if it's set?  Or were you worried about efficiency of that
> approach?

I pondered this approach too. There are a lot of places where we do use the
mPresShells member directly. Originally I wanted to avoid the virtual calls of
GetShellAt and GetNumberOfShells, but on second thought I doubt that it'll matter.

Fixes comments by bryner. I also made the event hold a reference to the
document just so that the document doesn't die if contentviewer releases the
reference it is holding for some reason or the other.
Attachment #198313 - Attachment is obsolete: true
Attachment #198352 - Flags: superreview?(bryner)
Attachment #198352 - Flags: review?(bryner)
Attached file testcase file 1 
Updated test files
Attachment #187849 - Attachment is obsolete: true
Attachment #187850 - Attachment is obsolete: true
Jonas, what are the end user ramifications with this patch vs. without it. What
things would the user see? We are trying to figure out if we'll approve this
change right before the deadline. 
There is really little that changes for the end user with this patch. The only
thing should be that the user can no longer get to style information while the
document is in the bfcache (i.e. the document will behave as if there was no
bfcache).

The patch might have fixed a crash (didn't test if it crashed before, but it
doesn't after), though that crash is fairly unlikly to be hit. It is the 'mutate
and back' scenario described in comment 11.

The patch should be farily safe. Mostly because I've pounded on it pretty hard
and there were no surprices.
Comment on attachment 198352 [details] [diff] [review]
Fix remaining issues v2

>--- docshell/shistory/src/nsSHEntry.cpp	23 Sep 2005 18:16:39 -0000	1.45
>+++ docshell/shistory/src/nsSHEntry.cpp	3 Oct 2005 21:02:24 -0000
>@@ -111,15 +111,18 @@ ClearParentPtr(nsISHEntry* aEntry, void*
> nsSHEntry::~nsSHEntry()
> {
>   // Since we never really remove kids from SHEntrys, we need to null
>   // out the mParent pointers on all our kids.
>   mChildren.EnumerateForwards(ClearParentPtr, nsnull);
>   mChildren.Clear();
>-  RemoveDocumentObserver();
>-  if (mContentViewer)
>-    mContentViewer->Destroy();
>+
>+  nsCOMPtr<nsIContentViewer> viewer = mContentViewer;
>+  DropPresentationState();

I still don't understand the need to call DropPresentatinoState from the dtor.


>+    // Drop presentation. Also ensures that we don't post more then one
>+    // PLEvent. Only do this if we succeed to post the event since otherwise

"succeeding in posting the event" would sound better to me.

In nsDocument, what do you think about making inline, non-virtual versions of
GetShellAt and GetNumberOfShells?  They'd need to be named differently.
(In reply to comment #30)
> "succeeding in posting the event" would sound better to me.

succeeded, rather.

Maybe what we could do for the branch is to just take the part of this patch
that changes the PLEvent. This is the part that fixes actual hazards, the rest
is more a correctness issue.

Btw, I still havn't made any changes for the 3 issue in comment 10. I think the
current sitation is fine actually. A document in the bfcache will behave like a
documents did before we had the bfcache as neither can get to the docshell. Not
sure what security checks uses the docshell, but they better deny access if they
can't get to it, otherwise they need to be fixed either way.
> I still don't understand the need to call DropPresentatinoState from the dtor.

This makes us unhide the presshells in the document so that the document has the
same state as it usually has during teardown. I'm not sure if this is needed or
not, but it seemed safest.

> >+    // Drop presentation. Also ensures that we don't post more then one
> >+    // PLEvent. Only do this if we succeed to post the event since otherwise
> 
> "succeeding in posting the event" would sound better to me.
> 
> In nsDocument, what do you think about making inline, non-virtual versions of
> GetShellAt and GetNumberOfShells?  They'd need to be named differently.

I thought about that too, but it feels like it mostly gets messy with the naming
and such. I doubt that there are any performance issues with this since these
are functions that are called just a handfull of times during the lifetime of a
document.

We could do is to place mPresShells and mShellsAreHidden in nsIDocument and
inline GetShellAt and GetNumberOfShells... Don't have a strong oppinion either way.
(In reply to comment #32)
> Maybe what we could do for the branch is to just take the part of this patch
> that changes the PLEvent. This is the part that fixes actual hazards, the rest
> is more a correctness issue.

I like that idea, could you post a branch patch that did just that for us to
evaluate? Thanks!
Comment on attachment 198352 [details] [diff] [review]
Fix remaining issues v2

You're right, none of those call sites seem very performance-critical.	We can
go with this patch if you'd like.
Attachment #198352 - Flags: superreview?(bryner)
Attachment #198352 - Flags: superreview+
Attachment #198352 - Flags: review?(bryner)
Attachment #198352 - Flags: review+
Fixed bryners wording comment. Attaching a new patch since i gotta head off to
bed. Blake has offered to land the patch if it gets approved.
Attachment #198387 - Attachment is obsolete: true
Attachment #198387 - Flags: review+
Attachment #198390 - Flags: approval1.8b5?
Comment on attachment 198390 [details] [diff] [review]
branch patch with better wording

Jonas, thanks again for making the branch only patch for us. And thanks bryner
for double checking that patch.

I'm approving this per earlier discussions with folks.

Blake, if you can't check this in tonight, let me know and I will.
Attachment #198390 - Flags: approval1.8b5? → approval1.8b5+
Fix checked in on MOZILLA_1_8_BRANCH.
Keywords: fixed1.8
Depends on: 311269
This bug may have caused a crash with yahoo.com. See Bug 311269 for more details.

clearing the fixed 1.8 flag since we backed this out. sicking is investigating
311269 too.
Keywords: fixed1.8
(In reply to comment #41)
> clearing the fixed 1.8 flag since we backed this out. sicking is investigating
> 311269 too.

311269 has been fixed on 1.8.
Flags: blocking1.8b5+ → blocking1.8rc1+
Comment on attachment 198352 [details] [diff] [review]
Fix remaining issues v2

Landed this and the patch from bug 311269 on the trunk
Blocks: 312117
No longer blocks: 312117
Depends on: 312117
Comment on attachment 198390 [details] [diff] [review]
branch patch with better wording

ok. we need to get this in asap.
Attachment #198390 - Flags: approval1.8b5+ → approval1.8rc1+
Landed the branch-safe parts of this on the branch and the remaining parts has
been on the trunk for a while, so marking fixed.

We still don't hide the presshells on bfcached docs on the branch, but i think
it's safer to let that be as is at this point.
Status: NEW → RESOLVED
Closed: 19 years ago18 years ago
Keywords: fixed1.8
Resolution: --- → FIXED
So what do we do on branch when the DOM mutates?
As far as mutations go we do the same on trunk and branch: immediately drop the
presentation from the shentry and then release the contentviewer and document on
an event.

The difference is that on trunk if you access style information on a bfdocument
it will behave as a data-only document, whereas on the branch you get the same
style information as when the document was last shown.
Ah, ok.  I guess I can live with that.  ;)
Component: History: Session → Document Navigation
QA Contact: history.session → docshell
You need to log in before you can comment on or make changes to this bug.