Closed Bug 352264 Opened 18 years ago Closed 3 years ago

audit code for asymmetric push/pop of JS context stack

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: dbaron, Unassigned)

References

(
URL
)

Details

(Keywords: fixed1.8.0.8, fixed1.8.1, sec-audit, Whiteboard: [sg:audit][need testcase])

Attachments

(2 files, 1 obsolete file)

patch for some of the issues
18.36 KB, patch
jst
: review+
bzbarsky
: superreview+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review
patch for nsJSNPRuntime
2.56 KB, patch
jst
: review+
jst
: superreview+
dveditz
: approval1.8.0.8+
mtschrep
: approval1.8.1+
Details | Diff | Splinter Review 
There are a number of topcrashes for which the only reasonable explanation brendan and I could come up with was that the context at the top of the JS context stack has been deleted.  This could happen if a caller forgot to pop a context that was pushed.

The crashes that I'm looking at are:
bug 317283
bug 319533
bug 322056 comment 35
bug 322143
bug 325547
and they seem to be Windows-only.

Most of my audit for asymmetric (either way) pushes and pops consisted of looking through http://lxr.mozilla.org/seamonkey/search?string=ContextStack%3B1 , although I started from the XPConnect code that maintains the stack and worked my way out.  The problems or potential problems that I found are the following (roughly from most alarming to least alarming, although I didn't sort very carefully):

modules/plugin/base/src/nsJSNPRuntime.cpp
  AutoCXPusher doesn't hold on to sContextStack -- does it need to?
  (could sWrapperCount drop to zero or increase from zero in the middle?)
  (if not, why are there null checks?)

dom/src/base/nsJSEnvironment.cpp#1678
  has an NS_ENSURE_SUCCESS
  checking result of ConvertSupportsTojsvals

js/src/xpconnect/src/xpccallcontext.cpp
  XPCCallContext's constructor does its Push before ensuring that
  mXPCContext is non-null, which means it might not pop.  (Maybe safer
  to just fix the destructor, though.)

modules/plugin/base/src/ns4xPlugin.cpp
  That we expose Push/Pop through the plugin API
  (NPPVjavascriptPushCallerBool) scares me a good bit.

  if GetPeer succeeds but returns null, the error in Push is not
  propagated to the caller

  We should probably add code to assert, and perhaps even enforce, that
  plugin push/pops are symmetric and match the C call stack.  We should
  at least assert that plugin pops are popping the context they pushed.

embedding/browser/activex/src/plugin/LegacyPlugin.cpp
js/src/liveconnect/nsCLiveconnect.cpp#113
  doesn't null out mContextStack if Peek fails

embedding/components/windowwatcher/src/nsWindowWatcher.cpp
xpfe/bootstrap/nsNativeAppSupportOS2.cpp#2274
xpfe/bootstrap/nsNativeAppSupportWin.cpp#2288
toolkit/xre/nsNativeAppSupportWin.cpp#1486
toolkit/xre/nsNativeAppSupportOS2.cpp#1630
  assumes mService->GetSafeJSContext(&mContext) doesn't simultaneously
  fail and set mContext

The implementation of Push needs to fail on OOM, and then callers (most
of them!) need to check the result.

Many places also use Pop(&cx) when they could use Pop(nsnull).
Attached patch patch for some of the issues (obsolete) — Splinter Review 
This fixes some of the issues.  Apologies about the readability of the diff, but I'm not sure what I could do to improve it.

It notably doesn't fix the first; I want to discuss that one with jst.

Also note that for the two files where the issue was incorrect error handling of the result of Peek, I intentionally reversed the error handling for Peek failures so that we do try to Push (and check the result of Push too).
Attachment #237898 - Flags: superreview?(bzbarsky)
Attachment #237898 - Flags: review?(jst)
I should really read the diff before attaching it...
Attachment #237898 - Attachment is obsolete: true
Attachment #237901 - Flags: superreview?(bzbarsky)
Attachment #237901 - Flags: review?(jst)
Attachment #237898 - Flags: superreview?(bzbarsky)
Attachment #237898 - Flags: review?(jst)
Comment on attachment 237901 [details] [diff] [review]
patch for some of the issues

sr=bzbarsky
Attachment #237901 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 237901 [details] [diff] [review]
patch for some of the issues

r=jst
Attachment #237901 - Flags: review?(jst) → review+
Comment on attachment 238081 [details] [diff] [review]
patch for nsJSNPRuntime

r+sr=jst
Attachment #238081 - Flags: superreview?(jst)
Attachment #238081 - Flags: superreview+
Attachment #238081 - Flags: review?(jst)
Attachment #238081 - Flags: review+
Above two patches checked in to the trunk.
Flags: blocking1.8.1?
Comment on attachment 237901 [details] [diff] [review]
patch for some of the issues

a=schrep for 181drivers for topcrash prevention.
Attachment #237901 - Flags: approval1.8.1? → approval1.8.1+
Comment on attachment 238081 [details] [diff] [review]
patch for nsJSNPRuntime

a=schrep for 181drivers for topcrash prevention.
Attachment #238081 - Flags: approval1.8.1? → approval1.8.1+
Flags: blocking1.8.0.8?
Flags: blocking1.8.1?
Checked in to MOZILLA_1_8_BRANCH.
Keywords: fixed1.8.1
If we have a set of security testcases that are easy to run, testing stuff related to the JS context stack (i.e., whether the topmost JS is chrome or content), it might be worth running them to make sure I didn't mess anything up here...
(In reply to comment #11)

I have *some* regression tests that were mined from bugzilla and recently did a run for 1.8 and can do another as soon as I catch up with js tests. They aren't automated unfortunately and take several hours per platform. I'll try to have them complete by tomorrow sometime.
Hrm.  This doesn't seem to have fixed the crashes, or at least not all of them: TB23292220 came in today.
Restoring lost blocking flag
Flags: blocking1.8.0.9?
Whiteboard: [sg:investigate]
Flags: blocking1.8.0.9? → blocking1.8.0.8?
Flags: blocking1.8.0.8? → blocking1.8.0.8+
Comment on attachment 237901 [details] [diff] [review]
patch for some of the issues

approved for 1.8.0 branch, a=dveditz for drivers
Attachment #237901 - Flags: approval1.8.0.8+
Attachment #238081 - Flags: approval1.8.0.8+
Checked in to MOZILLA_1_8_0_BRANCH.
Keywords: fixed1.8.0.8
Adding [need testcase] since there is no easy way for QA to verify this fix.  We will continue to keep an eye on Talkback data.

bc:  Anything to report from the testing you did back in comment #10?  I'm assuming everything was fine from the lack of comments in this bug since the checkin on Trunk and 1.8 branch.
Whiteboard: [sg:investigate] → [sg:investigate][need testcase]
(In reply to comment #17)

> bc:  Anything to report from the testing you did back in comment #10?  I'm
> assuming everything was fine from the lack of comments in this bug since the
> checkin on Trunk and 1.8 branch.

I ran the security regression tests for firefox around rc1, but I'm not sure that it was an effective test of this.
Group: security
Can this be closed?
QA Contact: ian → general
Whiteboard: [sg:investigate][need testcase] → [sg:audit][need testcase]
We should probably have something like a static analysis for this...
Keywords: sec-audit
Component: DOM → DOM: Core & HTML
Assignee: dbaron → nobody

Hello David! Is this issue still available or we can close it?

Flags: needinfo?(dbaron)

The relevant code has changed quite a bit with AutoJSAPI and such. I don't think this bug is particularly useful anymore.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dbaron)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: