Closed
Bug 534051
Opened 15 years ago
Closed 15 years ago
Workers: Don't change the global object while GC is running
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | final-fixed |
| blocking1.9.1 | --- | .8+ |
| status1.9.1 | --- | .8-fixed |
People
(Reporter: bent.mozilla, Assigned: bent.mozilla)
References
Details
(Whiteboard: [sg:critical?] fixes 533000)
Attachments
(1 file)
|
997 bytes,
patch
|
bent.mozilla
:
review+
jorendorff
:
review+
bent.mozilla
:
superreview+
dveditz
:
approval1.9.1.8+
|
Details | Diff | Splinter Review |
We're setting the global object on the context from another thread outside of a request. That's bad according to all sane peers, so we should stop. Also, I think we should check request depth inside JS_SetGlobalObject.
|
Assignee | |
Comment 1•15 years ago
|
||
Attachment #416977 -
Flags: superreview?(jst)
Attachment #416977 -
Flags: review?(jst)
Attachment #416977 -
Flags: review?(jorendorff)
|
||
Comment 2•15 years ago
|
||
Comment on attachment 416977 [details] [diff] [review] Patch OK. The JS change is a bit risky though. At a first glance I couldn't be sure that all the *other* places that call this function are doing it right.
Attachment #416977 -
Flags: review?(jorendorff) → review+
|
|
||
Comment 3•15 years ago
|
||
Sorry--I meant to add: I'm OK with adding that CHECK_REQUEST if the tests pass. If they don't, that is if other code triggers the assertion, we need to look into it. People definitely shouldn't be racing with the GC to call that function. Shudder.
|
|
Assignee | |
Comment 4•15 years ago
|
||
I pushed the patch to the tryserver
|
|
Assignee | |
Comment 5•15 years ago
|
||
And tryserver loved it. Peterv and I think that this is the cause of bug 533000.
Severity: normal → critical
blocking1.9.1: --- → ?
Flags: blocking1.9.2?
|
|
Assignee | |
Comment 6•15 years ago
|
||
Comment on attachment 416977 [details] [diff] [review] Patch Over-the-shoulder r+sr=jst.
Attachment #416977 -
Flags: superreview?(jst)
Attachment #416977 -
Flags: superreview+
Attachment #416977 -
Flags: review?(jst)
Attachment #416977 -
Flags: review+
|
||
Comment 7•15 years ago
|
||
We need this on the branches, fixes GC crashes.
Flags: blocking1.9.2? → blocking1.9.2+
|
|
Assignee | |
Comment 8•15 years ago
|
||
Pushed changeset 2000e14d36b2 to mozilla-central.
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Flags: blocking1.9.2+ → blocking1.9.2?
Resolution: --- → FIXED
|
|
Assignee | |
Comment 9•15 years ago
|
||
Comment on attachment 416977 [details] [diff] [review] Patch This patch should apply without any changes to 1.9.2 and 1.9.1.
Attachment #416977 -
Flags: approval1.9.2?
Attachment #416977 -
Flags: approval1.9.1.7?
|
||
Comment 10•15 years ago
|
||
This was blocking 1.9.2 (you accidentally removed the flag), so I'd go ahead and land there and ask jst to re-mark as blocking.
|
||
Updated•15 years ago
|
|
|
||
Comment 12•15 years ago
|
||
Comment on attachment 416977 [details] [diff] [review] Patch Approved for 1.9.1.7, a=dveditz for release-drivers
Attachment #416977 -
Flags: approval1.9.2?
Attachment #416977 -
Flags: approval1.9.1.7?
Attachment #416977 -
Flags: approval1.9.1.7+
|
||
Updated•15 years ago
|
Whiteboard: [can land 1.9.2]
|
||
Comment 13•15 years ago
|
||
Pushed to 192: http://hg.mozilla.org/releases/mozilla-1.9.2/rev/f8e3e9f4d7c4
status1.9.2:
--- → final-fixed
|
|
||
Updated•15 years ago
|
Whiteboard: [can land 1.9.2]
|
|
Assignee | |
Comment 14•15 years ago
|
||
Pushed to 1.9.1 also. http://hg.mozilla.org/releases/mozilla-1.9.1/rev/620cfa6038af and http://hg.mozilla.org/releases/mozilla-1.9.1/rev/c3f393d2d171.
|
||
Comment 15•14 years ago
|
||
Ben, is there a way for QA to test this fix or do we have to trust hopefully existing tests?
|
|
Assignee | |
Comment 16•14 years ago
|
||
This is guarded by a hard assertion so we'll see crash reports if anyone violates it.
|
|
||
Comment 17•14 years ago
|
||
But that means there no way for us to verify this fix manually. Is that correct?
Target Milestone: --- → mozilla1.9.2
|
|
Assignee | |
Comment 18•14 years ago
|
||
Yes.
|
|
||
Updated•14 years ago
|
Blocks: CVE-2010-0160
Whiteboard: [sg:critical?] fixes 533000
|
||
Updated•14 years ago
|
|
|
||
Updated•14 years ago
|
Group: core-security
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•