Closed
Bug 718029
Opened 14 years ago
Closed 14 years ago
don't skip JSContexts with outstanding requests during CC traversal
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla12
| Tracking | Status | |
|---|---|---|
| firefox-esr10 | --- | wontfix |
People
(Reporter: mccr8, Assigned: mccr8)
References
Details
(Whiteboard: [sg:dos null deref])
Attachments
(1 file)
|
1.49 KB,
patch
|
smaug
:
review+
|
Details | Diff | Splinter Review |
The CC adds JSContexts as roots, but skips those that have outstanding requests, because they are necessarily alive. However, JSContexts can have JS objects as children, and it is not okay to skip traversal of a live edge from C++ to JS, because it can make the CC throw away (by NULLing out pointers) to things that are still reachable from JS.
Not a huge deal, because the worst thing this should cause is some null-pointer derefs. Fix is just to remove the two lines.
Giving this moderate because that's what bug 690970, which is the same kind of bug.
|
Assignee | |
Comment 1•14 years ago
|
||
In some casual browsing, I never noticed this optimization doing anything, but I wasn't trying to do things with outstanding requests, whatever those are.
|
||
Comment 2•14 years ago
|
||
Note that requests will be going away soon with bug 650411.
|
|
Assignee | |
Comment 3•14 years ago
|
||
Yeah, this is only going to be a problem if somehow the cycle collector fires off while you have some multi-threaded JS going on or something. It seems like this is barely a problem, and a bogus optimization besides.
|
|
Assignee | |
Comment 4•14 years ago
|
||
Assignee: nobody → continuation
Attachment #588516 -
Flags: review?(bugs)
Now that we don't allow JS from the main runtime on non-main threads I don't think this makes any sense.
|
||
Comment 6•14 years ago
|
||
So the case when there can be GetOutstandingRequests is when either CC is called
explicitly via JS or when there is sync XHR or modal dialog/window open when CC runs.
|
|
Assignee | |
Comment 7•14 years ago
|
||
Probably makes sense to just roll this patch into something improving skipping of JSContexts in the CC.
|
|
||
Comment 8•14 years ago
|
||
Comment on attachment 588516 [details] [diff] [review]
remove the bogus optimization
Hopefully the global object is usually black so that this doesn't affect to
the graph size.
Attachment #588516 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 9•14 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #7)
> Probably makes sense to just roll this patch into something improving
> skipping of JSContexts in the CC.
or not. ;)
Yeah, I'll check to see if this does anything awful to the CC graph.
|
|
Assignee | |
Comment 10•14 years ago
|
||
Well, actually, I already was doing some examination of the behavior of skipping JSContexts, and I never saw this optimization triggered, so it should be okay.
|
|
Assignee | |
Comment 11•14 years ago
|
||
Target Milestone: --- → mozilla12
|
||
Comment 12•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
||
Updated•13 years ago
|
Whiteboard: [sg:moderate] → [sg:dos null deref]
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → wontfix
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•