Closed Bug 819443 Opened 13 years ago Closed 13 years ago

DOMProxyHandler is being finalized on the background thread

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME
Milestone:
mozilla20
Tracking Flags:
Tracking Status
firefox20 --- affected

People

(Reporter: mccr8, Unassigned)

Details

(Keywords: sec-audit, Whiteboard: [leave open])

Crash Data

Attachments

(2 files)

fix alloc kinds
4.00 KB, patch
terrence
: review+
Details | Diff | Splinter Review
thread assert on background finalize
1.63 KB, patch
luke
: review+
Details | Diff | Splinter Review
I noticed this when looking at the crash stacks for GetXPConnect. DOMProxyHandler::finalize calls nsXPConnect::GetRuntimeInstance(), which in turn calls GetXPConnect. But in this particular crash stack, the DOMProxyHandler is being finalized on the background thread, so we crash, because GetXPConnect does a MOZ_CRASH when it isn't called on the main thread. https://crash-stats.mozilla.com/report/index/eeeb0b76-c9de-4e15-9afb-172ea2121207 I filed this as s-s because I don't know if this is just a particular problem with this class, in which case it is just a DOS and not a big deal, or a symptom of a broader problem with things being inappropriately finalized on the background thread.
Updating the summary to what is probably the real problem here...
Summary: DOMProxyHandler::finalize for NodeListBinding calls GetXPConnect off the main thread → DOMProxyHandler is being finalized on the background thread
To be clear, this is the DOMProxyHandler in NodeListBinding.cpp. I don't know if there are other ones or what.
No longer blocks: 819337
Here's a similar crash where mozilla::dom::CSS2PropertiesBinding::DOMProxyHandler::finalize is being run on the background thread. https://crash-stats.mozilla.com/report/index/8bcc8b7a-ffa5-47a9-9592-395a42121206 These are both from beta. I looked at all of the GetXPConnect() crashes on beta from the last week, and these were the only two like this, so it seems like it must be a rare combination of circumstances that causes this.
Marking sec-audit as there's no real evidence yet that it is anything worse than a DOS. Or, for that matter, that it isn't just a symptom of some weird memory corruption elsewhere.
Keywords: sec-audit
Crash Signature: [@ nsXPConnect::GetXPConnect()]
Attached patch fix alloc kindsSplinter Review
This fixes some issues with allocation kinds that I saw while looking at code for this bug. I think it's harmless. We're missing a case for Ion code, but I don't think we ever call the function with that alloc kind. Better to fix it though.
Attachment #691494 - Flags: review?(terrence)
This asserts that we only run finalizers on the main thread. I wish we had a better thing to assert here, but the shape is already gone by the time we finalize. In theory we could make this a release-mode assertion, but given the low incidence of the crash, it doesn't seem worth it.
Attachment #691495 - Flags: review?(luke)
Comment on attachment 691494 [details] [diff] [review] fix alloc kinds Review of attachment 691494 [details] [diff] [review]: ----------------------------------------------------------------- Nice find!
Attachment #691494 - Flags: review?(terrence) → review+
Attachment #691495 - Flags: review?(luke) → review+
I'm not working on this, so I unassigned myself.
Assignee: wmccloskey → nobody
FWIW, I don't see any crashes with GetXPConnect on 19+. There are some on 18, but the ones I looked at didn't seem to have this particular problem. So I'll just call this WFM...
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: