Closed Bug 766173 Opened 13 years ago Closed 13 years ago

Potential malloc error in nsScriptSecurityManager::GetScriptSecurityManager()

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
All
Windows 7
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16
Tracking Flags:
Tracking Status
firefox13 --- affected
firefox14 --- affected
firefox15 --- verified
firefox16 --- fixed

People

(Reporter: justin.lebar+bug, Assigned: justin.lebar+bug)

References

Details

(Keywords: crash, qawanted, Whiteboard: [startupcrash])

Crash Data

Attachments

(1 file)

Patch v1
3.15 KB, patch
benjamin
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta-
Details | Diff | Splinter Review
nsScriptSecurityManager* ssManager = new nsScriptSecurityManager(); if (!ssManager) return nsnull; nsresult rv; rv = ssManager->Init(); if (NS_FAILED(rv)) { delete ssManager; return nsnull; } We're screwed if Init() addrefs and releases ssManager. We're particularly screwed if Init() then returns false. From bug 764192 comment 24, it appears that we're hitting this delete and dying. This may or may not be the cause of bug 709860.
This isn't security sensitive because this happens before any content is loaded.
Assignee: nobody → justin.lebar+bug
Attached patch Patch v1Splinter Review
Attachment #634484 - Flags: review?(benjamin)
Blocks: 709860
Attachment #634484 - Flags: review?(benjamin) → review+
Comment on attachment 634484 [details] [diff] [review] Patch v1 [Approval Request Comment] Bug caused by (feature/regressing bug #): Before CVS --> hg transition User impact if declined: Startup crash Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Could somehow change behavior here, but this is a likely improvement over what was there. String or UUID changes made by this patch: None.
Attachment #634484 - Flags: approval-mozilla-aurora?
I've been operating under the assumption that these will be optimized out by any not-brain-dead compiler. The initializer does nothing more than set a variable in the data section to 0, but the data section is already initialized to 0. If our compilers really can't optimize this, we can make versions of ns{COM,Ref}Ptr that don't initialize themselves to 0. But that's really a separate issue from this patch; the idiom of using a static smart pointer appears basically everywhere that ClearOnShutdown is used.
(In reply to Justin Lebar [:jlebar] from comment #6) > I've been operating under the assumption that these will be optimized out by > any not-brain-dead compiler. gcc is brain-dead.
(In reply to Mike Hommey [:glandium] from comment #7) > gcc is brain-dead. :( How much do we care about this extra static initializer? I guess "some" because we use gcc on mobile. I can't say fixing this is high on my list of priorities, though...
(In reply to Justin Lebar [:jlebar] from comment #8) > (In reply to Mike Hommey [:glandium] from comment #7) > > gcc is brain-dead. > > :( > > How much do we care about this extra static initializer? I guess "some" > because we use gcc on mobile. I can't say fixing this is high on my list of > priorities, though... I'll post something on dev-platform, because this is one of the typical cases (meaning there are several such cases to fix), and that has different possible solutions, one of which I find a elegant hack but Waldo disagrees.
https://hg.mozilla.org/mozilla-central/rev/24191df1f866
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
(In reply to Mike Hommey [:glandium] from comment #9) > I'll post something on dev-platform, because this is one of the typical > cases (meaning there are several such cases to fix), and that has different > possible solutions, one of which I find a elegant hack but Waldo disagrees. Actually, it's maybe not that common a pattern to grant a generalized hack. In this particular case, it shouldn't be hard to make the variable non-global.
> Actually, it's maybe not that common a pattern $ git ls-files | grep -v "ClearOnShutdown" | xargs grep 'ClearOnShutdown(' dom/base/Navigator.cpp: ClearOnShutdown(&gVibrateWindowListener); dom/power/PowerManagerService.cpp: ClearOnShutdown(&sSingleton); hal/Hal.cpp: ClearOnShutdown(&gLastIDToVibrate); hal/HalWakeLock.cpp: ClearOnShutdown(&sLockTable); image/src/RasterImage.cpp: ClearOnShutdown(&sSingleton); widget/gonk/OrientationObserver.cpp: ClearOnShutdown(&sOrientationSensorObserver); (plus this patch, which is not in my tree) All of these have global (or class-static) smart pointers. > In this particular case, it shouldn't be hard to make the variable non-global. The variable needs to be, effectively, a global strong reference. So we can either actually make it a global strong reference, or alternatively we can make a weak reference to an object on the heap which keeps a strong reference, and then register a shutdown observer to free the object. I guess door number 3 is, use a raw pointer and manually addref/release. In at least one instance above, the value stored in the global changes, so this would be particularly error-prone.
Door number 4 is using a static variable inside a function. This adds a little overhead, though.
(In reply to Mike Hommey [:glandium] from comment #13) > Door number 4 is using a static variable inside a function. The initializer is not run until the first time the function is run, I guess? That could work. I've never seen this used in hot code.
> Door number 4 is using a static variable inside a function. This doesn't work in the case when we need to be able to change the variable, for example gLastIDToVibrate. I mean, you could have a method with a bunch of parameters which either gets or sets the variable, but that's pretty ugly...
Summary: Potential malloc error in nsScriptSecurityManager::GetScriptSecurityManager() → Potential malloc error in nsScriptSecurityManager::GetScriptSecurityManager(), likely responsible for crash [@ arena_dalloc_small | XPCJSContextStack::GetSafeJSContext() ]
Crash Signature: [@ arena_dalloc_small | XPCJSContextStack::GetSafeJSContext()]
Summary: Potential malloc error in nsScriptSecurityManager::GetScriptSecurityManager(), likely responsible for crash [@ arena_dalloc_small | XPCJSContextStack::GetSafeJSContext() ] → Potential malloc error in nsScriptSecurityManager::GetScriptSecurityManager()
Keywords: qawanted
Comment on attachment 634484 [details] [diff] [review] Patch v1 [Triage Comment] No obvious regressions noted in today's build, so let's land on Aurora 15.
Attachment #634484 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment on attachment 634484 [details] [diff] [review] Patch v1 [Approval Request Comment] I'm not sure if we should take this on beta, but it's worth considering. Perhaps we can see how the crash rate on Aurora is affected by its landing.
Attachment #634484 - Flags: approval-mozilla-beta?
Keywords: crash
Severity: normal → critical
OS: Linux → Windows 7
Hardware: x86_64 → All
Whiteboard: [startupcrash]
Blocks: 718575
Comment on attachment 634484 [details] [diff] [review] Patch v1 Given https://bugzilla.mozilla.org/show_bug.cgi?id=709860#c39 I don't think we should land on Beta.
Attachment #634484 - Flags: approval-mozilla-beta? → approval-mozilla-beta-
Is there a way QA can verify this fix?
marking as fixed per comment 22 (since there were no answers to comment 21).
status-firefox15: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: