Closed
Bug 484890
Opened 15 years ago
Closed 14 years ago
nsEditingSession.cpp uses InitWithFuncCallback in a suspicious way
Categories
(Core :: DOM: Editor, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.3a4
People
(Reporter: smaug, Assigned: ehsan.akhgari)
Details
(Whiteboard: [sg:critical?] [qa-noaction-191] [qa-noaction-192])
Attachments
(1 file)
|
2.13 KB,
patch
|
sicking
:
review+
dveditz
:
approval1.9.2.4+
dveditz
:
approval1.9.1.10+
|
Details | Diff | Splinter Review |
http://mxr.mozilla.org/mozilla-central/source/editor/composer/src/nsEditingSession.cpp#1061 What keeps docShell alive?
|
||
Comment 1•15 years ago
|
||
note: found as a follow-up to the bad pattern in sg:critical bug 484320
Whiteboard: [sg:investigate]
|
||
Updated•14 years ago
|
Whiteboard: [sg:investigate] → [sg:critical?]
|
Assignee | |
Comment 2•14 years ago
|
||
So, we cancel the timer in the destructor here as well (http://mxr.mozilla.org/mozilla-central/source/editor/composer/src/nsEditingSession.cpp#121), but I assume that it's not enough, because the docshell might have a different lifetime. Do we have any mechanism to detect whether a docshell pointer is valid? Something like weak frames?
You can always use an nsWeakPtr. So
nsWeakPtr mFoo;
mFoo = do_GetWeakReference(docShell);
nsCOMPtr<nsIDocShell> docShell = do_QueryReferent(mFoo);
if (docShell) {
...
}|
|
Assignee | |
Comment 4•14 years ago
|
||
Something like this?
Comment on attachment 432675 [details] [diff] [review] Patch (v1) Looks correct. But I can't comment on if the destructor code makes this redundant or not. Though, do you even need the closure here? Can't you simply use mDocShell instead of static_cast<nsIWeakReference*> (aClosure) ?
Attachment #432675 -
Flags: review?(jonas) → review+
|
|
Assignee | |
Comment 6•14 years ago
|
||
(In reply to comment #5) > (From update of attachment 432675 [details] [diff] [review]) > Looks correct. But I can't comment on if the destructor code makes this > redundant or not. I tried to figure it out as well, but couldn't. I'm not sure if the lifetime of the docshell is always greater or equal to the lifetime of the editing session. But anyway this way we'll be safer, and there's no real perf loss for this patch. > Though, do you even need the closure here? Can't you simply use mDocShell > instead of static_cast<nsIWeakReference*> (aClosure) ? That's not possible, the callback timer is a static method.
Ah, right! Well, carry on then :)
|
|
Assignee | |
Comment 8•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/63a1cee09aa9
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a4
|
|
Assignee | |
Updated•14 years ago
|
Attachment #432675 -
Flags: approval1.9.2.3?
Attachment #432675 -
Flags: approval1.9.1.10?
|
|
||
Comment 9•14 years ago
|
||
Comment on attachment 432675 [details] [diff] [review] Patch (v1) Approved for 1.9.2.3 and 1.9.1.10, a=dveditz for release-drivers
Attachment #432675 -
Flags: approval1.9.2.3?
Attachment #432675 -
Flags: approval1.9.2.3+
Attachment #432675 -
Flags: approval1.9.1.10?
Attachment #432675 -
Flags: approval1.9.1.10+
|
|
Assignee | |
Comment 10•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/89dc7bcedfc6 http://hg.mozilla.org/releases/mozilla-1.9.1/rev/d360dfcc44b0
status1.9.1:
--- → .10-fixed
status1.9.2:
--- → .3-fixed
|
||
Comment 11•14 years ago
|
||
Is there anything for QA to reasonably do here to verify this fix for 1.9.1 and 1.9.2?
|
|
Assignee | |
Comment 12•14 years ago
|
||
(In reply to comment #11) > Is there anything for QA to reasonably do here to verify this fix for 1.9.1 and > 1.9.2? Not really, we don't have a testcase which uses this possible flaw.
|
|
||
Updated•14 years ago
|
Whiteboard: [sg:critical?] → [sg:critical?] [qa-noaction-191] [qa-noaction-192]
|
|
||
Updated•14 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•