Closed
Bug 844996
Opened 11 years ago
Closed 11 years ago
DeallocShmem failures should always abort
Categories
(Core :: IPC, defect)
Tracking
()
RESOLVED
FIXED
mozilla23
People
(Reporter: BenWa, Assigned: BenWa)
References
Details
Attachments
(2 files)
1.34 KB,
patch
|
cjones
:
review+
|
Details | Diff | Splinter Review |
1.70 KB,
patch
|
benjamin
:
review+
|
Details | Diff | Splinter Review |
Currently if there's a DeallocShmem failure it is ignored in OMTC configurations. I'll be sending this to try soon. It will be interesting to see what this finds.
Attachment #718019 -
Flags: review?(jones.chris.g)
Assignee | ||
Comment 1•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=1a32034f781a
Comment on attachment 718019 [details] [diff] [review] patch More consistent with what we do with actor serialization. No point in returning bool from this method anymore. Bonus points for removing that and seeing if any callers actually checked it, but I'm fine with that in a followup too.
Attachment #718019 -
Flags: review?(jones.chris.g) → review+
Assignee | ||
Comment 3•11 years ago
|
||
This actually catches problem on mochitest so we're going to have to wait until they're fixed to land this :(.
Assignee | ||
Comment 4•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=4b2c7faa2dd5
Assignee: nobody → bgirard
Comment 5•11 years ago
|
||
Comment on attachment 718019 [details] [diff] [review] patch Can a child ever force a parent to abort by sending a bad shmem like this? For plugins in the past we've tried to make sure that aggressive aborting like this happened in the child but not the parent.
Assignee | ||
Comment 6•11 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #5) > Can a child ever force a parent to abort by sending a bad shmem like this? > For plugins in the past we've tried to make sure that aggressive aborting > like this happened in the child but not the parent. AIUI this map keeps track of any Shmem over that channel so yes the child could leak a shmem intentionally to force this behavior.
Assignee | ||
Comment 7•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=435caf66bed3
Assignee | ||
Comment 8•11 years ago
|
||
(In reply to Benjamin Smedberg [:bsmedberg] from comment #5) > Comment on attachment 718019 [details] [diff] [review] > patch > > Can a child ever force a parent to abort by sending a bad shmem like this? > For plugins in the past we've tried to make sure that aggressive aborting > like this happened in the child but not the parent. This patch is ready to land. Should I modify how it works or land it?
Flags: needinfo?(benjamin)
Comment 9•11 years ago
|
||
How likely is failure, and under what conditions? Unless I misunderstand, I don't think the premise of the bug is correct. DeallocShmem failure should not abort in Firefox processes. It is possible that it should abort in plugin processes, but I'm not even sure about that. DeallocShmem failure doesn't mean subsequent actions could result in memory corruption or security bugs, right?
Flags: needinfo?(benjamin)
Assignee | ||
Comment 10•11 years ago
|
||
Not directly. If we try to release something as a shmem that isn't a shmem then our code is doing something wrong. This is more akind of a debug assert. Do you prefer that I make this a debug only check?
Comment 11•11 years ago
|
||
Yes, I think so.
Assignee | ||
Comment 12•11 years ago
|
||
Generated code: bool PCompositorParent::DeallocShmem(Shmem& aMem) { bool ok = DestroySharedMemory(aMem); #ifdef DEBUG if ((!(ok))) { NS_RUNTIMEABORT("bad Shmem"); } #endif // DEBUG (aMem).forget(Shmem::IHadBetterBeIPDLCodeCallingThis_OtherwiseIAmADoodyhead()); return ok; }
Attachment #730282 -
Flags: review?(benjamin)
Comment 13•11 years ago
|
||
Comment on attachment 730282 [details] [diff] [review] patch r=me, although I think MOZ_ASSERT would probably do the same thing.
Attachment #730282 -
Flags: review?(benjamin) → review+
Assignee | ||
Comment 14•11 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=ec1defa0c006
Assignee | ||
Comment 15•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/50725df22b05
Comment 16•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/50725df22b05
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in
before you can comment on or make changes to this bug.
Description
•