Closed
Bug 700512
Opened 13 years ago
Closed 13 years ago
Workers + Files exposes threadsafety assertions with DataOwner
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
FIXED
mozilla9
People
(Reporter: khuey, Assigned: khuey)
Details
(Whiteboard: [sg:high][qa?])
Attachments
(1 file, 2 obsolete files)
|
5.77 KB,
patch
|
sicking
:
review+
benjamin
:
review+
christian
:
approval-mozilla-aurora+
christian
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
Jonas reports that bent has seen threadsafety assertions from DataOwner when manipulating File objects in Workers in certain ways.
Yeah, we need to make the DataOwner refcounting threadsafe. As things stand now, if a memory-blob is used on both the main thread and a worker thread, the refcount can end up both too high and too low due to races.
|
Assignee | |
Updated•13 years ago
|
Assignee: nobody → khuey
|
|
Assignee | |
Comment 2•13 years ago
|
||
Attachment #572786 -
Flags: review?(jonas)
|
|
Assignee | |
Updated•13 years ago
|
Attachment #572786 -
Flags: review?(benjamin)
|
|
Assignee | |
Comment 3•13 years ago
|
||
Attachment #572786 -
Attachment is obsolete: true
Attachment #572786 -
Flags: review?(jonas)
Attachment #572786 -
Flags: review?(benjamin)
Attachment #572820 -
Flags: review?(jonas)
|
|
Assignee | |
Updated•13 years ago
|
Attachment #572820 -
Flags: review?(benjamin)
Comment on attachment 572820 [details] [diff] [review]
Patch
Err.. you only want to delete if the refcount goes to 0, right?
Attachment #572820 -
Flags: review?(jonas) → review-
|
|
Assignee | |
Comment 5•13 years ago
|
||
Attachment #572820 -
Attachment is obsolete: true
Attachment #572820 -
Flags: review?(benjamin)
Attachment #572824 -
Flags: review?(jonas)
Attachment #572824 -
Flags: review?(jonas) → review+
|
|
Assignee | |
Updated•13 years ago
|
Attachment #572824 -
Flags: review?(benjamin)
|
|
Assignee | |
Comment 6•13 years ago
|
||
If we're respinning 8.0, perhaps we should consider including this? It's a pretty easy fix to a new bug in 8.0.
|
||
Updated•13 years ago
|
|
||
Comment 7•13 years ago
|
||
[Triage Comment]
This is sg:high and therefore doesn't meet the criteria for landing on the release branch for a chemspill.
|
|
Assignee | |
Comment 8•13 years ago
|
||
Review ping.
|
||
Updated•13 years ago
|
Attachment #572824 -
Flags: review?(benjamin) → review+
Wait... I don't like that this doesn't stabilize the refcount. Having inconsistent implementations of Release seems like a recipe for headaches, and having no stabilization seems like a recipe for double-free.
|
|
||
Comment 10•13 years ago
|
||
refcount stabilization was a terrible idea. We should assert if you try to addref a dying object, not propagate stabilization to new macros where it's not already potentially used.
Fatally asserting sounds fine, but I imagine we'd only do that in debug builds since you have to have some other state bit to track that. For opt builds we'd just have no protection against double frees?
|
|
||
Comment 12•13 years ago
|
||
You really don't need another state bit, just use PR_UINT32_MAX as a sentinel value. I'm not sure that the extra branch is worth the protection in release builds, but we should probably measure to see how much it actually costs.
|
|
Assignee | |
Comment 13•13 years ago
|
||
Checked in without a test case.
https://hg.mozilla.org/mozilla-central/rev/d20b9d389776
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla11
|
|
Assignee | |
Comment 14•13 years ago
|
||
Comment on attachment 572824 [details] [diff] [review]
Patch
Requesting aurora and beta approval for this security regression introduced in Firefox 8.
Attachment #572824 -
Flags: approval-mozilla-beta?
Attachment #572824 -
Flags: approval-mozilla-aurora?
|
||
Comment 15•13 years ago
|
||
Comment on attachment 572824 [details] [diff] [review]
Patch
[triage comment]
Please land on aurora and beta today if at all possible.
Attachment #572824 -
Flags: approval-mozilla-beta?
Attachment #572824 -
Flags: approval-mozilla-beta+
Attachment #572824 -
Flags: approval-mozilla-aurora?
Attachment #572824 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 16•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/a45dd5ac1f90
https://hg.mozilla.org/releases/mozilla-beta/rev/6858e50813de
Target Milestone: mozilla11 → mozilla9
|
||
Comment 17•13 years ago
|
||
Does this affect the 1.9.2 branch? (qawanted)
|
|
Assignee | |
Comment 18•13 years ago
|
||
No, File objects are main thread only in 1.9.2.
Keywords: qawanted
|
|
||
Updated•13 years ago
|
blocking1.9.2: ? → -
|
||
Comment 19•13 years ago
|
||
Is there something QA can do to verify this fix?
Whiteboard: [sg:high] → [sg:high][qa?]
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
Assignee | |
Comment 20•13 years ago
|
||
The tests for this landed in Bug 698621 for reasons that I don't understand.
Flags: in-testsuite? → in-testsuite+
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•