Closed
Bug 749385
Opened 12 years ago
Closed 12 years ago
Use deferred release for documents in nsHTMLDocumentSH::ReleaseDocument
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
People
(Reporter: billm, Assigned: mccr8)
Details
(Keywords: sec-critical, Whiteboard: [qa-][advisory-tracking+])
Attachments
(2 files)
3.67 KB,
patch
|
Details | Diff | Splinter Review | |
3.97 KB,
patch
|
peterv
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
There are a couple classes in nsDOMClassInfo.cpp that have a finalizer that calls the Release function on a document. We've had trouble with situations like this before, since the destructor can possible cause JS code to run. These calls should use deferred release.
Comment 1•12 years ago
|
||
Critsmash triage: marking this as sec-other to remove from untriaged list. Please have us re-rate if an exploitable bug is found or open more specific bugs for the issues as discovered.
Keywords: sec-other
We should treat this as sec-critical.
Keywords: sec-other → sec-critical
Comment 3•12 years ago
|
||
OK thanks Kyle. Assigning to Andrew (DOM sec contact) for further triage/assignment/fixage.
Assignee: nobody → continuation
Assignee | ||
Comment 4•12 years ago
|
||
So basically what is needed here is to make sure that ReleaseDocument does something like XPC_WN_NoHelper_Finalize? I'm also going to see what happens if I add an assertion that fails if the GC is running when we do ~nsDocument. Hopefully that will catch this in a try run. Speaking of XPC_WN_NoHelper_Finalize, is there some reason that it does a deferred release, but XPC_WN_Helper_Finalize doesn't defer it? Or should I file a bug on that...
Assignee | ||
Comment 5•12 years ago
|
||
When I browsed around a little, I didn't hit my assertion, but during shutdown I did end up in ~nsDocument during a GC.
Reporter | ||
Comment 6•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4) > Speaking of XPC_WN_NoHelper_Finalize, is there some reason that it does a > deferred release, but XPC_WN_Helper_Finalize doesn't defer it? Or should I > file a bug on that... Yeah, I think that one is broken too.
Comment 7•12 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #4) > Speaking of XPC_WN_NoHelper_Finalize, is there some reason that it does a > deferred release, but XPC_WN_Helper_Finalize doesn't defer it? Or should I > file a bug on that... See bug 712448, comment 21. Please file a bug. I don't think we have any slim wrappers for a scriptable helper with a finalizer, but we should fix it.
Assignee | ||
Comment 8•12 years ago
|
||
Olli already filed bug 714725 back in January. I threw a patch together for it.
Assignee | ||
Updated•12 years ago
|
OS: Linux → All
Hardware: x86_64 → All
Version: unspecified → Trunk
Assignee | ||
Comment 9•12 years ago
|
||
Assignee | ||
Comment 10•12 years ago
|
||
Comment on attachment 625276 [details] [diff] [review] actual patch I don't know if somebody else should review the actual changes in nsDOMClassInfo. I did a little tidying of JSBool for one function, but I can revert that and add a !! or something if that's better.
Attachment #625276 -
Flags: review?(bobbyholley+bmo)
Comment 11•12 years ago
|
||
Comment on attachment 625276 [details] [diff] [review] actual patch Bouncing this patch to peter.
Attachment #625276 -
Flags: review?(bobbyholley+bmo) → review?(peterv)
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
status-firefox13:
--- → wontfix
status-firefox14:
--- → affected
status-firefox15:
--- → affected
tracking-firefox14:
--- → +
tracking-firefox15:
--- → +
Comment 12•12 years ago
|
||
PeterV, friendly ping for review. We don't like crit bugs :)
Comment 13•12 years ago
|
||
Comment on attachment 625276 [details] [diff] [review] actual patch This is ok because documents hold nsContentUtils alive (through nsLayoutStatics) and that keeps XPConnect alive.
Attachment #625276 -
Flags: review?(peterv) → review+
Assignee | ||
Comment 14•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/7d05bf4570bd
tracking-firefox-esr10:
--- → ?
Target Milestone: --- → mozilla16
Assignee | ||
Comment 15•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/7d05bf4570bd
Comment 16•12 years ago
|
||
Is there a simple way to test this fix?
Assignee | ||
Comment 17•12 years ago
|
||
No, this was just found by code inspection.
Assignee | ||
Comment 18•12 years ago
|
||
Comment on attachment 625276 [details] [diff] [review] actual patch [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: User impact if declined: possible sg:crit in some circumstances Fix Landed on Version: 16 Risk to taking this patch (and alternatives if risky): fairly low. could change how some documents are released a little bit. String or UUID changes made by this patch: none [Approval Request Comment] Bug caused by (feature/regressing bug #): unknown, but it is pretty old. Testing completed (on m-c, etc.): it has been on m-c for a few days.
Attachment #625276 -
Flags: approval-mozilla-esr10?
Attachment #625276 -
Flags: approval-mozilla-beta?
Attachment #625276 -
Flags: approval-mozilla-aurora?
Comment 19•12 years ago
|
||
Comment on attachment 625276 [details] [diff] [review] actual patch [Triage Comment] Approving this low-risk sg:crit for all branches.
Attachment #625276 -
Flags: approval-mozilla-esr10?
Attachment #625276 -
Flags: approval-mozilla-esr10+
Attachment #625276 -
Flags: approval-mozilla-beta?
Attachment #625276 -
Flags: approval-mozilla-beta+
Attachment #625276 -
Flags: approval-mozilla-aurora?
Attachment #625276 -
Flags: approval-mozilla-aurora+
Updated•12 years ago
|
Assignee | ||
Comment 20•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/61c987f44572 https://hg.mozilla.org/releases/mozilla-beta/rev/439fdaa19343
Assignee | ||
Comment 21•12 years ago
|
||
esr10 required some minor futzing around with the name of a function. https://hg.mozilla.org/releases/mozilla-esr10/rev/21aa63b0f89f
Comment 22•12 years ago
|
||
qa- as per comment 17. Please set to qa+ if there is something QA can do to verify this fix.
Whiteboard: [qa-]
Updated•12 years ago
|
Whiteboard: [qa-] → [qa-][advisory-tracking+]
Updated•12 years ago
|
Group: core-security
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•