Open Bug 898006 Opened 12 years ago Updated 2 years ago

don't copy subarrays during DestroySubtree

Tracking

()

Status:

NEW

People

(Reporter: froydnj, Unassigned)

Details

Attachments

(1 file)

don't copy subarrays during DestroySubtree 12 years ago Nathan Froyd [:froydnj] 1.67 KB, patch	bent.mozilla : review-	Details \| Diff \| Splinter Review

Nathan Froyd [:froydnj]

Reporter

Description

•

12 years ago

No description provided.

Nathan Froyd [:froydnj]

Reporter

Comment 1

•

12 years ago

Attached patch don't copy subarrays during DestroySubtree — Details — Splinter Review

We do: InfallibleTArray<PBlobParent*>& kids = mManagedPBlobParent; in DeallocSubtree but for whatever reason do: InfallibleTArray<PBlobParent*> kids(mManagedPBlobParent); in DestroySubtree. AFAICS, the copying isn't buying us anything. Fixing DeallocSubtree to use references reduces code size by ~10k or so on ARM. Light mochitest testing on Linux and OS X says this patch is good. If you have other suggested tests to run, I'd be happy to hear about them.

Attachment #781032 - Flags: review?(bent.mozilla)

Ben Turner (not reading bugmail, use the needinfo flag!)

Comment 2

•

12 years ago

Well, DestroySubtree could call other IPC things that could mutate the array, right? In which case our code would walk over the end of the array. I guess theoretically DeallocSubtree could too but since that's supposed to just do memory stuff I'd call that a problem with the caller.

Ben Turner (not reading bugmail, use the needinfo flag!)

Comment 3

•

12 years ago

Comment on attachment 781032 [details] [diff] [review] don't copy subarrays during DestroySubtree Review of attachment 781032 [details] [diff] [review]: ----------------------------------------------------------------- I don't think this is safe as currently written.

Attachment #781032 - Flags: review?(bent.mozilla) → review-

Jed Davis [:jld] ⟨⏰|UTC-8⟩ ⟦he/him⟧

Comment 4

•

9 years ago

(In reply to Ben Turner (not reading bugmail, use the needinfo flag!) from comment #2) > Well, DestroySubtree could call other IPC things that could mutate the > array, right? In which case our code would walk over the end of the array. For what it's worth, there's already a footgun there — if the ActorDestroy callback destroys another actor later in the subtree being destroyed, and its Dealloc routine deletes it, then that causes use-after-free in DestroySubtree via the pointer in the copied array. See bug 1202887 comment #2 for an example. > I guess theoretically DeallocSubtree could too but since that's supposed to > just do memory stuff I'd call that a problem with the caller. I wouldn't make too many assumptions about that — even if the Dealloc routine is just `delete aActor;` it still calls destructors.

Jim Mathies [:jimm]

Updated

•

7 years ago

Priority: -- → P3

BMO Automation

Updated

•

2 years ago

Severity: normal → S3

You need to log in before you can comment on or make changes to this bug.

Bugzilla

don't copy subarrays during DestroySubtree

Categories

(Core :: IPC, defect, P3)

Tracking

()

People

(Reporter: froydnj, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Comment 1

Comment 2

Comment 3

Comment 4

Updated

Updated

Attachment

General

Description

File Name

Content Type