Last Comment Bug 749385 - Use deferred release for documents in nsHTMLDocumentSH::ReleaseDocument
: Use deferred release for documents in nsHTMLDocumentSH::ReleaseDocument
Status: RESOLVED FIXED
[qa-][advisory-tracking+]
: sec-critical
Product: Core
Classification: Components
Component: DOM (show other bugs)
: Trunk
: All All
: -- normal (vote)
: mozilla16
Assigned To: Andrew McCreight [:mccr8]
:
: Andrew Overholt [:overholt]
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-26 14:22 PDT by Bill McCloskey (:billm)
Modified: 2012-07-20 18:23 PDT (History)
8 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
wontfix
+
fixed
+
fixed
fixed
14+
fixed


Attachments
don't let ~nsDocument run during a GC (3.67 KB, patch)
2012-05-17 09:58 PDT, Andrew McCreight [:mccr8]
no flags Details | Diff | Splinter Review
actual patch (3.97 KB, patch)
2012-05-18 15:02 PDT, Andrew McCreight [:mccr8]
peterv: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
akeybl: approval‑mozilla‑esr10+
Details | Diff | Splinter Review

Description Bill McCloskey (:billm) 2012-04-26 14:22:04 PDT
There are a couple classes in nsDOMClassInfo.cpp that have a finalizer that calls the Release function on a document. We've had trouble with situations like this before, since the destructor can possible cause JS code to run. These calls should use deferred release.
Comment 1 Al Billings [:abillings] 2012-05-16 10:49:08 PDT
Critsmash triage: marking this as sec-other to remove from untriaged list. Please have us re-rate if an exploitable bug is found or open more specific bugs for the issues as discovered.
Comment 2 Kyle Huey [:khuey] (Exited; not receiving bugmail, email if necessary) 2012-05-16 10:50:42 PDT
We should treat this as sec-critical.
Comment 3 David Bolter [:davidb] 2012-05-17 07:06:03 PDT
OK thanks Kyle. Assigning to Andrew (DOM sec contact) for further triage/assignment/fixage.
Comment 4 Andrew McCreight [:mccr8] 2012-05-17 09:42:57 PDT
So basically what is needed here is to make sure that ReleaseDocument does something like XPC_WN_NoHelper_Finalize?  I'm also going to see what happens if I add an assertion that fails if the GC is running when we do ~nsDocument.  Hopefully that will catch this in a try run.

Speaking of XPC_WN_NoHelper_Finalize, is there some reason that it does a deferred release, but XPC_WN_Helper_Finalize doesn't defer it?  Or should I file a bug on that...
Comment 5 Andrew McCreight [:mccr8] 2012-05-17 09:58:21 PDT
Created attachment 624790 [details] [diff] [review]
don't let ~nsDocument run during a GC

When I browsed around a little, I didn't hit my assertion, but during shutdown I did end up in ~nsDocument during a GC.
Comment 6 Bill McCloskey (:billm) 2012-05-17 10:18:38 PDT
(In reply to Andrew McCreight [:mccr8] from comment #4)
> Speaking of XPC_WN_NoHelper_Finalize, is there some reason that it does a
> deferred release, but XPC_WN_Helper_Finalize doesn't defer it?  Or should I
> file a bug on that...

Yeah, I think that one is broken too.
Comment 7 Peter Van der Beken [:peterv] 2012-05-17 12:13:27 PDT
(In reply to Andrew McCreight [:mccr8] from comment #4)
> Speaking of XPC_WN_NoHelper_Finalize, is there some reason that it does a
> deferred release, but XPC_WN_Helper_Finalize doesn't defer it?  Or should I
> file a bug on that...

See bug 712448, comment 21. Please file a bug. I don't think we have any slim wrappers for a scriptable helper with a finalizer, but we should fix it.
Comment 8 Andrew McCreight [:mccr8] 2012-05-17 12:17:34 PDT
Olli already filed bug 714725 back in January.  I threw a patch together for it.
Comment 9 Andrew McCreight [:mccr8] 2012-05-18 15:02:46 PDT
Created attachment 625276 [details] [diff] [review]
actual patch
Comment 10 Andrew McCreight [:mccr8] 2012-05-19 13:58:44 PDT
Comment on attachment 625276 [details] [diff] [review]
actual patch

I don't know if somebody else should review the actual changes in nsDOMClassInfo.

I did a little tidying of JSBool for one function, but I can revert that and add a !! or something if that's better.
Comment 11 Bobby Holley (:bholley) (busy with Stylo) 2012-05-20 13:44:48 PDT
Comment on attachment 625276 [details] [diff] [review]
actual patch

Bouncing this patch to peter.
Comment 12 David Bolter [:davidb] 2012-05-31 13:41:13 PDT
PeterV, friendly ping for review. We don't like crit bugs :)
Comment 13 Peter Van der Beken [:peterv] 2012-06-11 08:46:20 PDT
Comment on attachment 625276 [details] [diff] [review]
actual patch

This is ok because documents hold nsContentUtils alive (through nsLayoutStatics) and that keeps XPConnect alive.
Comment 14 Andrew McCreight [:mccr8] 2012-06-15 09:31:56 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/7d05bf4570bd
Comment 15 Andrew McCreight [:mccr8] 2012-06-16 10:36:58 PDT
https://hg.mozilla.org/mozilla-central/rev/7d05bf4570bd
Comment 16 Al Billings [:abillings] 2012-06-18 06:15:58 PDT
Is there a simple way to test this fix?
Comment 17 Andrew McCreight [:mccr8] 2012-06-18 08:31:44 PDT
No, this was just found by code inspection.
Comment 18 Andrew McCreight [:mccr8] 2012-06-18 11:39:00 PDT
Comment on attachment 625276 [details] [diff] [review]
actual patch

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
User impact if declined: possible sg:crit in some circumstances
Fix Landed on Version: 16
Risk to taking this patch (and alternatives if risky): fairly low. could change how some documents are released a little bit.
String or UUID changes made by this patch: none

[Approval Request Comment]
Bug caused by (feature/regressing bug #): unknown, but it is pretty old.
Testing completed (on m-c, etc.): it has been on m-c for a few days.
Comment 19 Alex Keybl [:akeybl] 2012-06-18 15:59:45 PDT
Comment on attachment 625276 [details] [diff] [review]
actual patch

[Triage Comment]
Approving this low-risk sg:crit for all branches.
Comment 21 Andrew McCreight [:mccr8] 2012-06-18 18:18:04 PDT
esr10 required some minor futzing around with the name of a function.

https://hg.mozilla.org/releases/mozilla-esr10/rev/21aa63b0f89f
Comment 22 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-21 16:47:47 PDT
qa- as per comment 17. Please set to qa+ if there is something QA can do to verify this fix.

Note You need to log in before you can comment on or make changes to this bug.