Closed
Bug 642717
Opened 14 years ago
Closed 14 years ago
Refresh driver needs to hold strong refs to |targets| in Notify
Categories
(Core :: Layout, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla5
Tracking | Status | |
---|---|---|
blocking2.0 | --- | Macaw+ |
status2.0 | --- | .1-fixed |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
fennec | - | --- |
People
(Reporter: bzbarsky, Assigned: bzbarsky)
Details
(Whiteboard: [sg:critical?])
Attachments
(1 file)
1.90 KB,
patch
|
roc
:
review+
dveditz
:
approval2.0+
|
Details | Diff | Splinter Review |
I came across this while working on bug 607529 (and the patch for that bug includes a fix for this one, but that bug is not landing in fx4). I believe that the current code in Notify is unsafe. |targets| holds weak references, and since they're on the stack they can't be removed when the documents go away. So if one of the events triggers script that ends up collecting some of the other documents, then we could end up doing event dispatch to a dead event target, which seems bad. I'll attach a minimal fix here. I don't think this is worth respinning for, but I do think we should take this ASAP once we start taking .x fixes.
Assignee | ||
Comment 1•14 years ago
|
||
Attachment #520121 -
Flags: review?(roc)
Assignee | ||
Updated•14 years ago
|
Whiteboard: [need review]
Assignee | ||
Updated•14 years ago
|
Priority: -- → P1
Attachment #520121 -
Flags: review?(roc) → review+
Assignee | ||
Comment 2•14 years ago
|
||
Comment on attachment 520121 [details] [diff] [review] Hold strong references to our MozBeforePaint event targets. Requesting approval, in case we want to fix this for mobile even without fixing it for desktop...
Attachment #520121 -
Flags: approval2.0?
Assignee | ||
Updated•14 years ago
|
Whiteboard: [need review] → [need approval]
Updated•14 years ago
|
blocking2.0: ? → -
tracking-fennec: --- → ?
Comment 3•14 years ago
|
||
we can pick this up whenever it lands for desktop. not holding mobile4.0 for this.
tracking-fennec: ? → 2.0-
Comment 4•14 years ago
|
||
It sounds bad in theory, but do we know if this happens in practice (for example, is there a testcase that demonstrates the problem)?
Keywords: testcase-wanted
Whiteboard: [need approval] → [sg:critical?][need approval]
Assignee | ||
Comment 5•14 years ago
|
||
I haven't tried writing one, but I could do that if you want...
Assignee | ||
Updated•14 years ago
|
Whiteboard: [sg:critical?][need approval] → [sg:critical?][need landing]
Assignee | ||
Updated•14 years ago
|
Assignee | ||
Comment 7•14 years ago
|
||
Pushed http://hg.mozilla.org/mozilla-central/rev/ced2b9373c5f
Status: NEW → RESOLVED
Closed: 14 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Whiteboard: [sg:critical?][need landing] → [sg:critical?]
Target Milestone: --- → mozilla2.2
Assignee | ||
Comment 8•14 years ago
|
||
I really think we need to take this for any security-update releases we do for 2.0. Renominating accordingly.
blocking2.0: - → ?
Updated•14 years ago
|
Comment 9•14 years ago
|
||
Comment on attachment 520121 [details] [diff] [review] Hold strong references to our MozBeforePaint event targets. Approved for the mozilla2.0 repository, a=dveditz for release-drivers
Attachment #520121 -
Flags: approval2.0? → approval2.0+
Assignee | ||
Comment 10•14 years ago
|
||
http://hg.mozilla.org/releases/mozilla-2.0/rev/7bf6e15028ed
Updated•13 years ago
|
Group: core-security
Updated•9 years ago
|
Keywords: testcase-wanted
You need to log in
before you can comment on or make changes to this bug.
Description
•