Closed
Bug 880544
Opened 11 years ago
Closed 11 years ago
"ABORT: Tear-off objects remain in hashtable at shutdown" with watch on SVGPathSegList
Categories
(Core :: SVG, defect)
Tracking
()
VERIFIED
FIXED
mozilla25
People
(Reporter: jruderman, Assigned: jwatt)
Details
(4 keywords, Whiteboard: [adv-main25+])
Attachments
(6 files, 3 obsolete files)
279 bytes,
image/svg+xml
|
Details | |
7.44 KB,
patch
|
dzbarsky
:
review+
|
Details | Diff | Splinter Review |
7.01 KB,
patch
|
dzbarsky
:
review+
|
Details | Diff | Splinter Review |
7.05 KB,
patch
|
dzbarsky
:
review+
|
Details | Diff | Splinter Review |
7.47 KB,
patch
|
dzbarsky
:
review+
|
Details | Diff | Splinter Review |
6.88 KB,
patch
|
dzbarsky
:
review+
|
Details | Diff | Splinter Review |
###!!! ABORT: Tear-off objects remain in hashtable at shutdown.: 'mTable.Count() == 0', file content/svg/content/src/nsSVGAttrTearoffTable.h, line 28 nsSVGAttrTearoffTable<void, mozilla::DOMSVGPathSegList>::~nsSVGAttrTearoffTable Security-sensitive because last time I filed a bug involving this assertion (bug 872790), it was marked as a dup of a security-sensitive bug.
Comment 1•11 years ago
|
||
Marking sec-critical, because this smells like a use-after-free. Who should look at this? Sounds like jwatt is away for all of June.
Keywords: sec-critical
Comment 3•11 years ago
|
||
(In reply to :Ms2ger from comment #2) > David, could you have a look? I'll add it to my todo list.
Flags: needinfo?(dzbarsky)
Updated•11 years ago
|
Assignee: nobody → dzbarsky
Updated•11 years ago
|
status-firefox24:
--- → affected
Updated•11 years ago
|
Assignee: dzbarsky → nobody
Comment 5•11 years ago
|
||
Is this something you could look into, Brian? It looks like you've made the most changes to this file. Thanks.
Comment 6•11 years ago
|
||
I can have a look but I'm currently travelling so it won't be until the middle of next week at the earliest. If anyone else has time before then, please have a look.
Assignee | ||
Comment 10•11 years ago
|
||
It seems like the use of Object.prototype.watch is keeping a reference to the DOMSVGPathSegList and preventing it from being GC'ed even once the tab has been closed. If I open this testcase in a tab, close the tab, open about:memory and click GC, CC and Minimize Memory Usage, the DOMSVGPathSegList dtor is still not called. As a result the DOMSVGPathSegList object stays in the hash table, and the assertion fires on shutdown.
Attachment #759529 -
Attachment is obsolete: true
Assignee | ||
Comment 11•11 years ago
|
||
Okay, this comes down to the generated DOMProxyHandler::hasOwn implementation for DOMSVGPathSegList (called under obj_watch()): bool DOMProxyHandler::hasOwn(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool* bp) { MOZ_ASSERT(!xpc::WrapperFactory::IsXrayWrapper(proxy), "Should not have a XrayWrapper here"); int32_t index = GetArrayIndexFromId(cx, id); if (IsArrayIndex(index)) { mozilla::DOMSVGPathSegList* self = UnwrapProxy(proxy); bool found; ErrorResult rv; mozilla::DOMSVGPathSeg* result; result = self->IndexedGetter(index, found, rv); rv.WouldReportJSException(); if (rv.Failed()) { return ThrowMethodFailedWithDetails<true>(cx, rv, "SVGPathSegList", "getItem"); } (void)result; *bp = found; return true; } JS::Rooted<JSObject*> expando(cx, GetExpandoObject(proxy)); if (expando) { JSBool b = true; JSBool ok = JS_HasPropertyById(cx, expando, id, &b); *bp = !!b; if (!ok || *bp) { return ok; } } *bp = false; return true; } 'result' is a raw pointer, so the DOMSVGPathSeg is simply leaked and, since it holds a strong reference to its DOMSVGPathSegList, that object is leaked too, causing the assertion.
Assignee | ||
Comment 12•11 years ago
|
||
DOMProxyHandler::delete_ would seem to have a similar bug: bool DOMProxyHandler::delete_(JSContext* cx, JS::Handle<JSObject*> proxy, JS::Handle<jsid> id, bool* bp) { MOZ_ASSERT(!xpc::WrapperFactory::IsXrayWrapper(proxy), "Should not have a XrayWrapper here"); int32_t index = GetArrayIndexFromId(cx, id); if (IsArrayIndex(index)) { mozilla::DOMSVGPathSegList* self = UnwrapProxy(proxy); bool found; ErrorResult rv; mozilla::DOMSVGPathSeg* result; result = self->IndexedGetter(index, found, rv); rv.WouldReportJSException(); if (rv.Failed()) { return ThrowMethodFailedWithDetails<true>(cx, rv, "SVGPathSegList", "getItem"); } (void)result; if (found) { *bp = false; } else { *bp = true; } // We always return here, even if the property was not found return true; } return dom::DOMProxyHandler::delete_(cx, proxy, id, bp); }
Comment 13•11 years ago
|
||
> 'result' is a raw pointer, so the DOMSVGPathSeg is simply leaked
Uh.... an IndexedGetter is supposed to return a raw pointer. And looking at DOMSVGPathSegList::IndexedGetter it does:
300 return ItemAt(aIndex);
where ItemAt is:
225 return mItems[aIndex].mItem;
Where is the leak, exactly?
Comment 14•11 years ago
|
||
jwatt explained to me on IRC what's going on. The leak is actually inside IndexedGetter when it does EnsureItemAt: that creates a new object with zero refcount and stores a raw pointer to it. The assumption is that after that ItemAt() will get called and stored in a refptr, but that never happens. I suspect the right fix here is to: 1) Change EnsureItemAt to return an already_AddRefed<SVGPathSeg> so the caller makes sure to take ownership, since we depend on that. 2) Remove the "'resultNotAddRefed': [ 'getItem' ]" from the Bindings.conf entry for SVGPathSegList. 3) Change the signatures of SVGPathSegList::GetItem and SVGPathSegList::IndexedGetter to return an already_AddRefed<SVGPathSeg>.
Comment 15•11 years ago
|
||
If the object in the hash table is actually alive at shutdown, then it sounds like this isn't actually a security problem.
Comment 16•11 years ago
|
||
Oh, and: 4) Audit/fix in the same way all the other SVG list classes that have "'resultNotAddRefed': [ 'getItem' ]" in Bindings.conf (looks like SVGLenthList, SVGNumberList, SVGPointList, SVGTransformList, at first glance).
Assignee | ||
Comment 17•11 years ago
|
||
#1-#4 sound fine. Anyone working on this should also be familiar with the comments at the top of: https://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/DOMSVGAnimatedLengthList.h https://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/DOMSVGLengthList.h https://mxr.mozilla.org/mozilla-central/source/content/svg/content/src/DOMSVGLength.h
Assignee | ||
Comment 18•11 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #15) > If the object in the hash table is actually alive at shutdown, then it > sounds like this isn't actually a security problem. That seems to be the case. At least I see no indication that this is anything other than a memory leak.
Assignee | ||
Comment 19•11 years ago
|
||
(In reply to Jonathan Watt [:jwatt] from comment #17) > Anyone working on this... In fact, I'll take this.
Assignee: nobody → jwatt
Updated•11 years ago
|
Keywords: sec-critical → sec-other
Assignee | ||
Comment 20•11 years ago
|
||
For no particular reason I patched SVGTransformList first. I checked that this testcase asserts without the patch. Passed Try: https://tbpl.mozilla.org/?tree=Try&rev=133191ea54bc I'll wait until after r+ to upload the patches for the other types since any review comments may apply to them too.
Attachment #772639 -
Flags: review?(dzbarsky)
Comment 21•11 years ago
|
||
Comment on attachment 772639 [details] [diff] [review] patch for SVGTransformList Review of attachment 772639 [details] [diff] [review]: ----------------------------------------------------------------- Seems sane.
Attachment #772639 -
Flags: review?(dzbarsky) → review+
Assignee | ||
Comment 26•11 years ago
|
||
Hmm, looks like I forgot to |hg add| the tests for the SVGPathSegList and SVGPointsList patches.
Assignee | ||
Comment 27•11 years ago
|
||
Attachment #772952 -
Attachment is obsolete: true
Attachment #772952 -
Flags: review?(dzbarsky)
Attachment #773138 -
Flags: review?(dzbarsky)
Assignee | ||
Comment 28•11 years ago
|
||
Attachment #772953 -
Attachment is obsolete: true
Attachment #772953 -
Flags: review?(dzbarsky)
Attachment #773139 -
Flags: review?(dzbarsky)
Comment 29•11 years ago
|
||
Comment on attachment 773139 [details] [diff] [review] patch for SVGPointsList Review of attachment 773139 [details] [diff] [review]: ----------------------------------------------------------------- ::: content/svg/content/src/crashtests/880544-5.svg @@ +11,5 @@ > + //]]></script> > + > + <polygon id="e" points="0,0"/> > + > +</svg> Did you add the <![CDATA[ because you plan to submit these tests somewhere? I don't think we want this for our own tests.
Attachment #773139 -
Flags: review?(dzbarsky) → review+
Assignee | ||
Comment 30•11 years ago
|
||
(In reply to David Zbarsky (:dzbarsky) from comment #29) > Did you add the <![CDATA[ because you plan to submit these tests somewhere? > I don't think we want this for our own tests. We don't; I just didn't bother cutting that out of Jesse's original testcase. It doesn't matters though, and isn't rally worth spending time updating the patches for I'd think.
Updated•11 years ago
|
Attachment #772950 -
Flags: review?(dzbarsky) → review+
Updated•11 years ago
|
Attachment #772951 -
Flags: review?(dzbarsky) → review+
Updated•11 years ago
|
Attachment #773138 -
Flags: review?(dzbarsky) → review+
Assignee | ||
Comment 31•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9fbdd1b84f77 https://hg.mozilla.org/integration/mozilla-inbound/rev/32d9640c3882 https://hg.mozilla.org/integration/mozilla-inbound/rev/4674ce0eda2a https://hg.mozilla.org/integration/mozilla-inbound/rev/aaba3099e010 https://hg.mozilla.org/integration/mozilla-inbound/rev/4056151eb62b
Comment 32•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4056151eb62b https://hg.mozilla.org/mozilla-central/rev/aaba3099e010 https://hg.mozilla.org/mozilla-central/rev/4674ce0eda2a https://hg.mozilla.org/mozilla-central/rev/32d9640c3882 https://hg.mozilla.org/mozilla-central/rev/9fbdd1b84f77
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
Updated•11 years ago
|
status-firefox-esr17:
--- → wontfix
status-firefox-esr24:
--- → wontfix
Comment 33•11 years ago
|
||
Confirmed assertion on shutdown, ASan FF24 2013-06-06. Verified fixed, ASan FF25 2013-10-01.
Updated•11 years ago
|
Whiteboard: [adv-main25+]
Updated•11 years ago
|
Updated•11 years ago
|
Updated•11 years ago
|
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•