Closed Bug 394042 Opened 18 years ago Closed 18 years ago

Dangling pointer in nsXULPDGlobalObject leads to mem corruption/crashes

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: bent.mozilla, Assigned: bent.mozilla)

References

Details

Attachments

(2 files, 3 obsolete files)

Null it out!
995 bytes, patch
jst
: review+
jst
: superreview+
jst
: approval1.9+
Details | Diff | Splinter Review
Cache the principal, v4
2.45 KB, patch
bent.mozilla
: review+
bent.mozilla
: superreview+
jst
: approval1.9+
Details | Diff | Splinter Review
nsXULPDGlobalObject::ClearGlobalObjectOwner doesn't null out mGlobalObjectOwner and leads to this (I think), which is the #9 topcrash on windows at the moment: bp-7a8bc2d4-5516-11dc-a69b-001a4bd43e5c Looks like trouble from bug 389911. bz and Purify helped me find this.
Attached patch Null it out!Splinter Review
Fix?
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #278610 - Flags: review?(jst)
Flags: blocking1.9?
Comment on attachment 278610 [details] [diff] [review] Null it out! Hmm, interesting. Looks like the right thing to do no doubt, but bug 389911 didn't really change this AFAICT from looking at the patch, SetGlobalObjectOwner(), which was replaced by ClearGlobalObjectOwner(), didn't null out mGlobalObjectOwner either. Either way, r+sr+a=jst
Attachment #278610 - Flags: superreview+
Attachment #278610 - Flags: review?(jst)
Attachment #278610 - Flags: review+
Attachment #278610 - Flags: approval1.9+
Fixed. Thanks!
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
Flags: blocking1.9?
Hmm. Before that patch landed we had nsXULPrototypeDocument::~nsXULPrototypeDocument doing: - mGlobalObject->SetGlobalObjectOwner(nsnull); and nsXULPDGlobalObject::SetGlobalObjectOwner indeed never set mGlobalObjectOwner. I'm not sure just clearing the owner is right; the right fix imo would be to cache the owner's current principal so GetPrincipal() doesn't suddenly start returning null and _then_ clear the owner. Otherwise we're silently changing the security context of this global, which is almost worse than crashing...
Blocks: 389911
No longer depends on: 389911
I _would_ like to know why this broke, by the way, since bug 389911 doesn't seem to obviously be it.
Reopening based on comment 4.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch Cache the principal (obsolete) — Splinter Review
Attachment #278713 - Flags: review?(bzbarsky)
Comment on attachment 278713 [details] [diff] [review] Cache the principal No. You don't want to save the cached principal until the script global object owner is going away. Up until that point you want to use that owner's principal, no matter what. Note also that if |this == nsXULPrototypeDocument::gSystemGlobal| you should never need to do anything with the cached principal.
Attachment #278713 - Flags: review?(bzbarsky) → review-
Attached patch Cache the principal, v2 (obsolete) — Splinter Review
Like this?
Attachment #278713 - Attachment is obsolete: true
Attachment #278720 - Flags: review?(bzbarsky)
Attached patch Cache the principal, v3 (obsolete) — Splinter Review
Actually, you probably meant like this.
Attachment #278720 - Attachment is obsolete: true
Attachment #278723 - Flags: review?(bzbarsky)
Attachment #278720 - Flags: review?(bzbarsky)
Comment on attachment 278723 [details] [diff] [review] Cache the principal, v3 >Index: content/xul/document/src/nsXULPrototypeDocument.cpp >+ if (mCachedPrincipal) { >+ return mCachedPrincipal; >+ } > return nsnull; That's equivalent to: return mCachedPrincipal; With that change, r+sr=bzbarsky
Attachment #278723 - Flags: superreview+
Attachment #278723 - Flags: review?(bzbarsky)
Attachment #278723 - Flags: review+
Same patch with that change.
Attachment #278723 - Attachment is obsolete: true
Attachment #278727 - Flags: superreview+
Attachment #278727 - Flags: review+
Attachment #278727 - Flags: approval1.9?
Attachment #278727 - Flags: approval1.9? → approval1.9+
Cool, all fixed up.
Status: REOPENED → RESOLVED
Closed: 18 years ago18 years ago
Resolution: --- → FIXED
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: