Closed Bug 844996 Opened 11 years ago Closed 11 years ago

DeallocShmem failures should always abort

Categories

(Core :: IPC, defect)

Product:
Core
Component:
IPC
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla23

People

(Reporter: BenWa, Assigned: BenWa)

References

Details

Attachments

(2 files)

patch
1.34 KB, patch
cjones
: review+
Details | Diff | Splinter Review
patch
1.70 KB, patch
benjamin
: review+
Details | Diff | Splinter Review
Attached patch patchSplinter Review 
Currently if there's a DeallocShmem failure it is ignored in OMTC configurations.

I'll be sending this to try soon. It will be interesting to see what this finds.
Attachment #718019 - Flags: review?(jones.chris.g)
Comment on attachment 718019 [details] [diff] [review]
patch

More consistent with what we do with actor serialization.

No point in returning bool from this method anymore.  Bonus points for removing that and seeing if any callers actually checked it, but I'm fine with that in a followup too.
Attachment #718019 - Flags: review?(jones.chris.g) → review+
This actually catches problem on mochitest so we're going to have to wait until they're fixed to land this :(.
https://tbpl.mozilla.org/?tree=Try&rev=4b2c7faa2dd5
Assignee: nobody → bgirard
Comment on attachment 718019 [details] [diff] [review]
patch

Can a child ever force a parent to abort by sending a bad shmem like this? For plugins in the past we've tried to make sure that aggressive aborting like this happened in the child but not the parent.
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #5)
> Can a child ever force a parent to abort by sending a bad shmem like this?
> For plugins in the past we've tried to make sure that aggressive aborting
> like this happened in the child but not the parent.

AIUI this map keeps track of any Shmem over that channel so yes the child could leak a shmem intentionally to force this behavior.
Blocks: 839538
Blocks: 849039
(In reply to Benjamin Smedberg  [:bsmedberg] from comment #5)
> Comment on attachment 718019 [details] [diff] [review]
> patch
> 
> Can a child ever force a parent to abort by sending a bad shmem like this?
> For plugins in the past we've tried to make sure that aggressive aborting
> like this happened in the child but not the parent.

This patch is ready to land. Should I modify how it works or land it?
Flags: needinfo?(benjamin)
How likely is failure, and under what conditions? Unless I misunderstand, I don't think the premise of the bug is correct. DeallocShmem failure should not abort in Firefox processes. It is possible that it should abort in plugin processes, but I'm not even sure about that. DeallocShmem failure doesn't mean subsequent actions could result in memory corruption or security bugs, right?
Flags: needinfo?(benjamin)
Not directly. If we try to release something as a shmem that isn't a shmem then our code is doing something wrong. This is more akind of a debug assert. Do you prefer that I make this a debug only check?
Yes, I think so.
Attached patch patchSplinter Review 
Generated code:

bool
PCompositorParent::DeallocShmem(Shmem& aMem)
{
    bool ok = DestroySharedMemory(aMem);
#ifdef DEBUG
    if ((!(ok))) {
        NS_RUNTIMEABORT("bad Shmem");
    }    
#endif // DEBUG
    (aMem).forget(Shmem::IHadBetterBeIPDLCodeCallingThis_OtherwiseIAmADoodyhead());
    return ok;
}
Attachment #730282 - Flags: review?(benjamin)
Comment on attachment 730282 [details] [diff] [review]
patch

r=me, although I think MOZ_ASSERT would probably do the same thing.
Attachment #730282 - Flags: review?(benjamin) → review+
https://hg.mozilla.org/mozilla-central/rev/50725df22b05
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: