Closed
Bug 765936
Opened 13 years ago
Closed 12 years ago
IndexedDB wrapper behavior is still totally broken
Categories
(Core :: Storage: IndexedDB, defect)
Tracking
()
RESOLVED
FIXED
mozilla16
People
(Reporter: asuth, Assigned: khuey)
References
Details
(Keywords: regression, sec-critical, Whiteboard: [advisory-tracking+])
Attachments
(3 files, 3 obsolete files)
2.24 KB,
patch
|
Details | Diff | Splinter Review | |
15.53 KB,
patch
|
bent.mozilla
:
review+
peterv
:
superreview+
|
Details | Diff | Splinter Review |
9.42 KB,
patch
|
khuey
:
review+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
I accidentally added an expando to a request because meta-/ thought onfailure was a good name and I agreed.
This results in:
###!!! ASSERTION: Already rooted?!: '!PreservingWrapper()', file /home/visbrero/rev_control/fgit/b2g-gaia/mozilla-central/dom/indexedDB/IDBRequest.cpp, line 80
I have included a dubiously named xpcshell test for your edification.
Assignee | ||
Updated•13 years ago
|
Group: core-security
Assignee | ||
Updated•13 years ago
|
Keywords: sec-critical
Summary: expandos cause ###!!! ASSERTION: Already rooted?!: '!PreservingWrapper()' → IndexedDB wrapper behavior is still totally broken
Comment 1•13 years ago
|
||
What versions of FF/geco/b2g are affected?
Assignee | ||
Comment 2•13 years ago
|
||
The assertion is bogus, but there is another problem here. Since bug 731227 we call NS_HOLD_JS_OBJECTS on all requests at creation time. All the existing rooting/unrooting stuff just serves to duplicate that, except that we can run into scenarios where we hold twice and then call drop (and then end up with an unpreserved wrapper).
Attachment #635499 -
Flags: superreview?(peterv)
Attachment #635499 -
Flags: review?(bent.mozilla)
Comment on attachment 635499 [details] [diff] [review]
Patch
Review of attachment 635499 [details] [diff] [review]:
-----------------------------------------------------------------
::: dom/indexedDB/IDBRequest.cpp
@@ -110,5 @@
>
> JSAutoRequest ar(cx);
> JSAutoEnterCompartment ac;
> if (ac.enter(cx, global)) {
> - RootResultVal();
I think we should assert PreservingWrapper... somewhere? At the top of this method most likely.
Attachment #635499 -
Flags: review?(bent.mozilla) → review+
Assignee | ||
Comment 4•13 years ago
|
||
We can't assert PreservingWrapper anywhere. Whether or not we're preserving the wrapper is totally independent of everything else that's going on.
Er... we need to somehow assert that we're rooted. Is there no way to do that?
Comment 6•12 years ago
|
||
Comment on attachment 635499 [details] [diff] [review]
Patch
Review of attachment 635499 [details] [diff] [review]:
-----------------------------------------------------------------
I don't think we can rely on SetScriptOwner unless it returns false if a null aScriptOwner is passed in.
Attachment #635499 -
Flags: superreview?(peterv) → superreview-
Comment 7•12 years ago
|
||
Not sure we can do that, given other consumers of that API. The other option would be to somehow have one flag to signal 'rooted by SetScriptOwner' and 'rooted by RootResultVal'.
Comment 8•12 years ago
|
||
Another option is to make IDBRequest/IDBOpenDBRequest::Create check the argument it passes to SetScriptOwner and bail if it's null.
Assignee | ||
Comment 9•12 years ago
|
||
I was going to say that I don't think the script owner should ever be null, but now with the IPC stuff I'm not so sure. I'll dig further.
Assignee | ||
Comment 10•12 years ago
|
||
How about this? This passes our test suite with no assertions.
Attachment #635499 -
Attachment is obsolete: true
Attachment #637274 -
Flags: superreview?(peterv)
Attachment #637274 -
Flags: review?(bent.mozilla)
Comment on attachment 637274 [details] [diff] [review]
Patch
Review of attachment 637274 [details] [diff] [review]:
-----------------------------------------------------------------
Looks good to me with these things addressed:
::: dom/indexedDB/IDBFactory.cpp
@@ +408,5 @@
>
> if (mWindow) {
> window = mWindow;
> + scriptOwner =
> + static_cast<nsGlobalWindow*>(window.get())->FastGetGlobalJSObject();
I don't like this... We're not in performance-critical code here, can we just use the nsI* methods to get this?
::: dom/indexedDB/IDBWrapperCache.cpp
@@ +47,5 @@
>
> bool
> IDBWrapperCache::SetScriptOwner(JSObject* aScriptOwner)
> {
> + MOZ_ASSERT(aScriptOwner);
NS_ASSERTION. We'll do a full replace someday, but for now please use the other. (I'm still a little miffed that we don't get stacks with MOZ_ASSERT)
@@ +68,5 @@
> +#ifdef DEBUG
> +void
> +IDBWrapperCache::AssertIsRooted() const
> +{
> + MOZ_ASSERT(nsContentUtils::AreJSObjectsHeld(const_cast<IDBWrapperCache*>(this)),
Here too.
Attachment #637274 -
Flags: review?(bent.mozilla) → review+
Comment 12•12 years ago
|
||
Kyle, and idea what FF versions are affected by this bug?
status-firefox16:
--- → affected
tracking-firefox16:
--- → +
Updated•12 years ago
|
Attachment #637274 -
Flags: superreview?(peterv) → superreview+
Assignee | ||
Comment 13•12 years ago
|
||
Flags: in-testsuite?
Target Milestone: --- → mozilla16
Assignee | ||
Comment 14•12 years ago
|
||
This definitely affects Aurora and Beta.
status-firefox14:
--- → affected
status-firefox15:
--- → affected
tracking-firefox14:
--- → ?
tracking-firefox15:
--- → ?
Assignee | ||
Comment 15•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Comment 16•12 years ago
|
||
What's the risk profile of this bug? Please nominate for Aurora approval, and Beta approval if low risk or a particularly critical security regression.
Assignee | ||
Comment 17•12 years ago
|
||
This is a narrower patch for Aurora and Beta.
[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 731227
User impact if declined: A potential SG crit involving stale pointers to GCd objects. I haven't actually constructed a test case which crashes though.
Testing completed (on m-c, etc.): Has been on m-c for a bit, is simple enough to understand.
Risk to taking this patch (and alternatives if risky): Low risk.
String or UUID changes made by this patch: None.
Attachment #640218 -
Flags: approval-mozilla-beta?
Attachment #640218 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 18•12 years ago
|
||
Beta required a slightly different patch. See above for approval comments.
Attachment #640253 -
Flags: approval-mozilla-beta?
Assignee | ||
Updated•12 years ago
|
Attachment #640218 -
Attachment description: Patch for Aurora and Beta → Patch for Aurora
Attachment #640218 -
Flags: approval-mozilla-beta?
Comment 19•12 years ago
|
||
(In reply to David Bolter [:davidb] from comment #12)
> Kyle, and idea what FF versions are affected by this bug?
Any answer to this? Did we ship this problem in a final release or is it a more recent regression? Is Firefox 13 affected or existing ESR?
Assignee | ||
Comment 20•12 years ago
|
||
This shipped in 13 (see the regressing bug). ESR doesn't have this issue, but it may have related problems.
Updated•12 years ago
|
Blocks: 731227
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → wontfix
Keywords: regression
Updated•12 years ago
|
Updated•12 years ago
|
Attachment #640218 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 21•12 years ago
|
||
Comment on attachment 640253 [details] [diff] [review]
Patch for Beta
[Triage Comment]
Spoke with Dan/Al - although this is low risk, we're already taking significant change in our final beta, and we'll try to mitigate by taking less change that's on the line.
Attachment #640253 -
Flags: approval-mozilla-beta? → approval-mozilla-beta-
Assignee | ||
Comment 22•12 years ago
|
||
Assignee | ||
Comment 23•12 years ago
|
||
And backed out due to test failures.
https://hg.mozilla.org/releases/mozilla-aurora/rev/626ac9c0bf97
Comment 24•12 years ago
|
||
(In reply to Kyle Huey [:khuey] (khuey@mozilla.com) from comment #23)
> And backed out due to test failures.
>
> https://hg.mozilla.org/releases/mozilla-aurora/rev/626ac9c0bf97
When are we going to take another stab at this? We should still be targeting 15, given the risk profile here.
Assignee | ||
Comment 25•12 years ago
|
||
It's on my list for next week.
Assignee | ||
Comment 26•12 years ago
|
||
Same as before, but it actually works.
Attachment #640218 -
Attachment is obsolete: true
Attachment #640253 -
Attachment is obsolete: true
Attachment #649325 -
Flags: review+
Attachment #649325 -
Flags: approval-mozilla-beta?
Comment 27•12 years ago
|
||
Comment on attachment 649325 [details] [diff] [review]
Patch for beta
approving the patch that works then :)
Attachment #649325 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
Assignee | ||
Comment 28•12 years ago
|
||
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•