Closed
Bug 830975
Opened 12 years ago
Closed 12 years ago
[FIX] nsDocument::FlushPendingNotifications looks suspicious
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
People
(Reporter: smaug, Assigned: smaug)
Details
(Keywords: crash, sec-audit, sec-critical, Whiteboard: [adv-main19+][adv-esr1703+])
Attachments
(2 files)
|
4.99 KB,
patch
|
mccr8
:
review+
bzbarsky
:
feedback+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
lsblakk
:
approval-mozilla-esr17+
lsblakk
:
approval-mozilla-b2g18+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
666 bytes,
text/html
|
Details |
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsDocument.cpp?rev=fe51ccc53083#6715 Callers of FlushPendingNotifications should keep the document alive. That doesn't always happen since, since even within nsDocument::FlushPendingNotifications itself it calls mParentDocument->FlushPendingNotifications, and mParentDocument is a member variable and doesn't guarantee that the object stays alive during the call (if something ends up clearing the member variable). Any objections if I add some nsCOMPtrs to keep stuff alive long enough? Unfortunately that may show up in some profiles.
|
Assignee | |
Comment 1•12 years ago
|
||
We do have crashes in nsDocument::FlushPendingNotifications
|
||
Comment 2•12 years ago
|
||
Can we make the document hold a strong ref to itself only when it's really doing a flush? I can probably live with the refcounting cost in that case...
|
||
Comment 3•12 years ago
|
||
several of the nsDocument::FlushPendingNotifications crashes (maybe a third?) are illegal writes, smells like a use after free.
|
|
||
Updated•12 years ago
|
OS: Linux → All
Version: unspecified → Trunk
|
|
Assignee | |
Comment 4•12 years ago
|
||
Maybe this way. Faster stack-only refcounting, which doesn't affect to purple-ness of the object. In normal cases this should add one ++, --, and a comparison to Flush. Should be quite fast. Not super-pretty, but quite small and performance is critical here.
Attachment #703861 -
Flags: feedback?(continuation)
|
|
||
Comment 5•12 years ago
|
||
It's worth testing this on the testcase in bug 709256 (which is close to a worst-case scenario for flush overhead).
|
|
Assignee | |
Comment 6•12 years ago
|
||
ok. nsCOMPtr<nsIDocument> might actually not be so bad these days. (and bug 789919 will make it faster)
|
|
Assignee | |
Comment 7•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP Profiling this some more.
Attachment #703861 -
Flags: feedback?(continuation)
|
|
Assignee | |
Comment 8•12 years ago
|
||
|
|
Assignee | |
Comment 9•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP There is significant difference in performance (>10% opt linux64, non-pgo) when comparing this approach to nsCOMPtr<nsIDocument>. The testcase is of course the worst case scenario.
Attachment #703861 -
Flags: feedback?(bzbarsky)
|
|
||
Comment 10•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP I'd still like to understand why we can't take a ref only in the cases when there's actually stuff to flush... This is fine as far as it goes, but it seems like the other would be simpler.
Attachment #703861 -
Flags: feedback?(bzbarsky) → feedback+
|
|
Assignee | |
Comment 11•12 years ago
|
||
(In reply to Boris Zbarsky (:bz) from comment #10) > I'd still like to understand why we can't take a ref only in the cases when > there's actually stuff to flush... Ah, hmm, I guess I could use mNeedLayoutFlush/mNeedStyleFlush, and not really check whether something is flushed.
|
|
Assignee | |
Comment 12•12 years ago
|
||
But contentsinks make this hard
|
|
Assignee | |
Comment 13•12 years ago
|
||
And need to check if some ancestor flushes.
|
|
Assignee | |
Comment 14•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP I can't now figure out anything simpler than this.
Attachment #703861 -
Flags: review?(continuation)
|
||
Comment 15•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP Review of attachment 703861 [details] [diff] [review]: ----------------------------------------------------------------- Looks okay to me, though I don't know anything about FlushPendingNotifications in particular.
Attachment #703861 -
Flags: review?(continuation) → review+
|
|
Assignee | |
Comment 16•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP [Security approval request comment] How easily could an exploit be constructed based on the patch? I think quite easily Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No, but patch itself is quite obvious. Which older supported branches are affected by this flaw? all Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Patch seems to apply to m-c, aurora and beta, and needs just minor merging for esr17 How likely is this patch to cause regressions; how much testing does it need? Should be relatively safe. Currently we may get crashes in the cases this patch fixes.
Attachment #703861 -
Flags: sec-approval?
|
|
Assignee | |
Comment 17•12 years ago
|
||
Boris, if you can think of a simpler fix, don't hesitate to tell it to me :)
|
|
Assignee | |
Updated•12 years ago
|
Summary: nsDocument::FlushPendingNotifications looks suspicious → [FIX] nsDocument::FlushPendingNotifications looks suspicious
|
||
Comment 18•12 years ago
|
||
I need release management to weigh in on when we want to take this since it affects everything and is obvious.
status-firefox-esr10:
--- → affected
status-firefox18:
--- → affected
status-firefox19:
--- → affected
status-firefox20:
--- → affected
status-firefox21:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox19:
--- → ?
tracking-firefox20:
--- → ?
tracking-firefox21:
--- → ?
tracking-firefox-esr17:
--- → ?
|
|
||
Comment 19•12 years ago
|
||
> But contentsinks make this hard
> And need to check if some ancestor flushes.
Ugh. :( Yeah, then what's here seems simplest. :(
|
||
Comment 20•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #18) > I need release management to weigh in on when we want to take this since it > affects everything and is obvious. We're coming up on Beta 4 of FF19. Let's land on all branches this week. Is B2G affected Olli?
|
|
Assignee | |
Comment 21•12 years ago
|
||
Everything is affected.
|
|
Assignee | |
Comment 22•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP [Approval Request Comment] Bug caused by (feature/regressing bug #): Old stuff User impact if declined: Possible sg:crit crashes Testing completed (on m-c, etc.): Hasn't landed anywhere yet Risk to taking this patch (and alternatives if risky): Shouldn't be risky. Alternatives are probably significantly slower and this is hot code. String or UUID changes made by this patch: NA
Attachment #703861 -
Flags: approval-mozilla-esr17?
Attachment #703861 -
Flags: approval-mozilla-beta?
Attachment #703861 -
Flags: approval-mozilla-b2g18?
Attachment #703861 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•12 years ago
|
Attachment #703861 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•12 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 23•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/0a453067b5de
Keywords: checkin-needed
|
|
Assignee | |
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Comment 24•12 years ago
|
||
Comment on attachment 703861 [details] [diff] [review] WIP Approving for all branches.
Attachment #703861 -
Flags: approval-mozilla-esr17?
Attachment #703861 -
Flags: approval-mozilla-esr17+
Attachment #703861 -
Flags: approval-mozilla-beta?
Attachment #703861 -
Flags: approval-mozilla-beta+
Attachment #703861 -
Flags: approval-mozilla-b2g18?
Attachment #703861 -
Flags: approval-mozilla-b2g18+
Attachment #703861 -
Flags: approval-mozilla-aurora?
Attachment #703861 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 25•12 years ago
|
||
Landing real soon.
|
||
Updated•12 years ago
|
Target Milestone: --- → mozilla21
|
|
Assignee | |
Comment 26•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-esr17/rev/fd2ee0d7d4a0 https://hg.mozilla.org/releases/mozilla-beta/rev/a75708877822 https://hg.mozilla.org/releases/mozilla-b2g18/rev/0e76f133a710 https://hg.mozilla.org/releases/mozilla-aurora/rev/932c91fda1cf
|
|
||
Updated•12 years ago
|
|
||
Comment 27•12 years ago
|
||
Is the attached test case applicable, and will it be set to review at some point?
|
||
Comment 28•12 years ago
|
||
I ran the test case attached to this bug, but I get the exact same behavior on Firefox 18 and Firefox 19 (beta 5). The counter on the page stays between 198 and 220 ms, and Firefox eats up about 50% of the CPU. What should I be looking at to verify this fix?
|
|
||
Comment 29•12 years ago
|
||
Nothing. This is a proactive security fix for an issue we don't obviously have a way to trigger. The testcase is just making sure the fix doesn't regress performance.
|
|
||
Updated•12 years ago
|
Whiteboard: [adv-main19+][adv-esr1703+]
|
|
||
Updated•11 years ago
|
Group: core-security
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•