Closed Bug 547814 Opened 15 years ago Closed 15 years ago

Workers: Need to call JS_MakeStringImmutable before passing strings across threads?

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
status1.9.2 --- .2-fixed
status1.9.1 --- unaffected

People

(Reporter: bent.mozilla, Assigned: bent.mozilla)

Details

(Whiteboard: [sg:critical?])

Attachments

(1 file, 1 obsolete file)

Patch
737 bytes, patch
jorendorff
: review+
peterv
: superreview+
beltzner
: approval1.9.2.2+
Details | Diff | Splinter Review
blocking1.9.2: --- → ?
Attached patch Trunk and 1.9.2 patch (obsolete) — Splinter Review
Assignee: nobody → bent.mozilla
Status: NEW → ASSIGNED
Attachment #428281 - Flags: superreview?(jst)
Attachment #428281 - Flags: review?(jorendorff)
Sorry for the false alarm. This is already safe. The patch isn't needed. The string is never really accessible by two threads at once. It's created in one thread and stuck in an event, which is then posted to execute in another thread. Posting the event goes through a lock, so it's a clean hand-off. It's totally safe.
Group: core-security
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → INVALID
Attachment #428281 - Flags: review?(jorendorff)
Attachment #428281 - Flags: superreview?(jst)
Group: core-security
Ben called and said there was a security problem after all. Hiding bug and reopening until it gets figured out.
Status: RESOLVED → REOPENED
Resolution: INVALID → ---
Attached patch PatchSplinter Review
Trunk and 1.9.2 only.
Attachment #428281 - Attachment is obsolete: true
Attachment #428462 - Flags: superreview?(jst)
Attachment #428462 - Flags: review?(jorendorff)
Comment on attachment 428462 [details] [diff] [review] Patch That's the right fix. Good catch.
Attachment #428462 - Flags: review?(jorendorff) → review+
Attachment #428462 - Flags: superreview?(jst) → superreview+
Comment on attachment 428462 [details] [diff] [review] Patch Super simple fix, we either need to take this or back the string sharing out before we ship the next 1.9.2 release.
Attachment #428462 - Flags: approval1.9.2.2?
Needs to bake on mozilla-central before we can take it on 1.9.2, doesn't it?
Neither jst nor I think it's necessary in this case (it's too simple) but I am certainly ok waiting as long as we make this block 1.9.2.2. Just don't want to forget to land it before we ship!
Status: REOPENED → RESOLVED
Closed: 15 years ago15 years ago
Resolution: --- → FIXED
Attachment #428462 - Flags: approval1.9.2.2? → approval1.9.2.2+
Do we need a test for this? I don't see any way for QA to verify here.
(In reply to comment #13) > Do we need a test for this? > > I don't see any way for QA to verify here. Ben, any comments?
Hm, not sure we can really test this... This code is hit for every single message sent to a worker now, so the code in question is definitely hit. We didn't crash in the tests before and we don't now so I'm not sure what to do. I'd just not worry about it.
Doesn't this problem apply to 1.9.1 as well? What are the potential security risks here? If it's causing crashes that sounds like memory corruptions (sg:critical) but since you weren't able to actually cause crashes maybe not?
blocking1.9.1: --- → ?
status1.9.1: --- → ?
Whiteboard: [sg:critical?]
It's not an issue on 1.9.1 because the string sharing code only landed on trunk and 1.9.2.
(We always copy on 1.9.1, which is safe).
blocking1.9.1: ? → ---
status1.9.1: ?unaffected
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: