Closed
Bug 931991
Opened 11 years ago
Closed 11 years ago
Fix an exact rooting hazard in AttemptAsyncScriptParse
Categories
(Core :: DOM: Core & HTML, defect)
Core
DOM: Core & HTML
Tracking
()
RESOLVED
DUPLICATE
of bug 949108
People
(Reporter: terrence, Assigned: terrence)
References
Details
Attachments
(1 file)
|
1.15 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
The current code does PushJSContext with an unrooted on the stack. The analysis thinks that PushJSContext can GC because of a call through XPConnect's COM interface. We know in practice this will never GC, but in theory I guess someone could re-implement XPConnect in a C++ extension? For now I think it is fine to root the unrootedGlobal on the script's context before pushing the new context, since we mark all contexts anyway.
Attachment #823513 -
Flags: review?(bobbyholley+bmo)
|
||
Comment 1•11 years ago
|
||
Comment on attachment 823513 [details] [diff] [review] hazard_async_parse-v0.diff Review of attachment 823513 [details] [diff] [review]: ----------------------------------------------------------------- > Context can GC because of a call through > XPConnect's COM interface. We know in practice this will never GC, but in > theory I guess someone could re-implement XPConnect in a C++ extension? rofl
Attachment #823513 -
Flags: review?(bobbyholley+bmo) → review+
|
Assignee | |
Comment 2•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/cd9d6b4fb8c3
|
|
Assignee | |
Comment 3•11 years ago
|
||
And backed out for mochitest failures: https://hg.mozilla.org/integration/mozilla-inbound/rev/3e866558c6f3 Not sure why I didn't see this locally. 15:16:17 INFO - 2282 INFO TEST-PASS | /tests/caps/tests/mochitest/test_bug292789.html | content should not be able to load <script> from chrome://mozapps 15:16:17 INFO - Assertion failure: js::IsInRequest(cx), at ../../../dist/include/js/RootingAPI.h:673 15:16:20 WARNING - TEST-UNEXPECTED-FAIL | /tests/caps/tests/mochitest/test_bug292789.html | application terminated with exit code 256 15:16:20 INFO - INFO | runtests.py | Application ran for: 0:00:52.000677 15:16:20 INFO - INFO | zombiecheck | Reading PID log: /var/folders/0m/735ch_zd4n9dn_dl_4hh6tfc00000w/T/tmpoTP8Szpidlog 15:16:33 WARNING - PROCESS-CRASH | /tests/caps/tests/mochitest/test_bug292789.html | application crashed [@ nsScriptLoader::AttemptAsyncScriptParse(nsScriptLoadRequest*)] 15:16:33 INFO - Crash dump filename: /var/folders/0m/735ch_zd4n9dn_dl_4hh6tfc00000w/T/tmpGTTcmr/minidumps/6AE78677-8715-4730-B273-F1A2A9ECEA74.dmp 15:16:33 INFO - Operating system: Mac OS X 15:16:33 INFO - 10.8.0 12A269 15:16:33 INFO - CPU: amd64 15:16:33 INFO - family 6 model 42 stepping 7 15:16:33 INFO - 8 CPUs 15:16:33 INFO - Crash reason: EXC_BAD_ACCESS / KERN_INVALID_ADDRESS 15:16:33 INFO - Crash address: 0x0 15:16:33 INFO - Thread 0 (crashed) 15:16:33 INFO - 0 XUL!nsScriptLoader::AttemptAsyncScriptParse(nsScriptLoadRequest*) [RootingAPI.h:8ca6961857f5 : 673 + 0x0] 15:16:33 INFO - rbx = 0x00007fff77cfec68 r12 = 0x000000010a339c90 15:16:33 INFO - r13 = 0x000000010a339c90 r14 = 0x0000000157d2e610 15:16:33 INFO - r15 = 0x0000000080004005 rip = 0x00000001018bd623 15:16:33 INFO - rsp = 0x00007fff5fbfcf40 rbp = 0x00007fff5fbfd090 15:16:33 INFO - Found by: given as instruction pointer in context 15:16:33 INFO - 1 XUL!nsScriptLoader::ProcessRequest(nsScriptLoadRequest*, void**) [nsScriptLoader.cpp:8ca6961857f5 : 816 + 0xa] 15:16:33 INFO - rbx = 0x0000000000000000 r12 = 0x000000010a339c90 15:16:33 INFO - r13 = 0x000000010a339c90 r14 = 0x0000000157d2e610 15:16:33 INFO - r15 = 0x0000000000000000 rip = 0x00000001018bcb2e 15:16:33 INFO - rsp = 0x00007fff5fbfd0a0 rbp = 0x00007fff5fbfd1d0 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 2 XUL!nsScriptLoader::ProcessPendingRequests() [nsScriptLoader.cpp:8ca6961857f5 : 1057 + 0xc] 15:16:33 INFO - rbx = 0x0000000000000000 r12 = 0x000000010a339c90 15:16:33 INFO - r13 = 0x00007fff5fbfd1f0 r14 = 0x0000000157d2e610 15:16:33 INFO - r15 = 0x0000000000000000 rip = 0x00000001018be580 15:16:33 INFO - rsp = 0x00007fff5fbfd1e0 rbp = 0x00007fff5fbfd220 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 3 XUL!nsScriptLoader::OnStreamComplete(nsIStreamLoader*, nsISupports*, tag_nsresult, unsigned int, unsigned char const*) [nsScriptLoader.cpp:8ca6961857f5 : 1266 + 0x7] 15:16:33 INFO - rbx = 0x000000010a339c90 r12 = 0x0000000000000000 15:16:33 INFO - r13 = 0x000000010a33a1c8 r14 = 0x0000000157d2e610 15:16:33 INFO - r15 = 0x0000000000000000 rip = 0x00000001018bf17e 15:16:33 INFO - rsp = 0x00007fff5fbfd230 rbp = 0x00007fff5fbfd250 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 4 XUL!nsStreamLoader::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) [nsStreamLoader.cpp:8ca6961857f5 : 100 + 0xf] 15:16:33 INFO - rbx = 0x000000010a32d0b0 r12 = 0x0000000000000000 15:16:33 INFO - r13 = 0x000000010a33a1c8 r14 = 0x000000010a33a1b8 15:16:33 INFO - r15 = 0x000000010a33a1a0 rip = 0x00000001011481a1 15:16:33 INFO - rsp = 0x00007fff5fbfd260 rbp = 0x00007fff5fbfd2a0 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 5 XUL!nsJARChannel::OnStopRequest(nsIRequest*, nsISupports*, tag_nsresult) [nsJARChannel.cpp:8ca6961857f5 : 978 + 0xb] 15:16:33 INFO - rbx = 0x000000010a32d0b0 r12 = 0x000000010a32d968 15:16:33 INFO - r13 = 0x000000010a32d920 r14 = 0x0000000000000000 15:16:33 INFO - r15 = 0x000000010a32d188 rip = 0x00000001013648c2 15:16:33 INFO - rsp = 0x00007fff5fbfd2b0 rbp = 0x00007fff5fbfd2e0 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 6 XUL!_ZThn16_N12nsJARChannel13OnStopRequestEP10nsIRequestP11nsISupports12tag_nsresult [nsJARChannel.cpp:8ca6961857f5 : 994 + 0x8] 15:16:33 INFO - rbx = 0x0000000106404e20 r12 = 0x000000010a32d968 15:16:33 INFO - r13 = 0x000000010a32d920 r14 = 0x000000010a32d958 15:16:33 INFO - r15 = 0x000000010a32d9b0 rip = 0x0000000101364a3d 15:16:33 INFO - rsp = 0x00007fff5fbfd2f0 rbp = 0x00007fff5fbfd2f0 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 7 XUL!nsInputStreamPump::OnStateStop() [nsInputStreamPump.cpp:8ca6961857f5 : 702 + 0x8] 15:16:33 INFO - rbx = 0x0000000106404e20 r12 = 0x000000010a32d968 15:16:33 INFO - r13 = 0x000000010a32d920 r14 = 0x000000010a32d958 15:16:33 INFO - r15 = 0x000000010a32d9b0 rip = 0x0000000101113a4a 15:16:33 INFO - rsp = 0x00007fff5fbfd300 rbp = 0x00007fff5fbfd330 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 8 XUL!nsInputStreamPump::OnInputStreamReady(nsIAsyncInputStream*) [nsInputStreamPump.cpp:8ca6961857f5 : 437 + 0x7] 15:16:33 INFO - rbx = 0x000000010a32d920 r12 = 0x0000000106404e00 15:16:33 INFO - r13 = 0x00000001011133d8 r14 = 0x000000010a32d9b0 15:16:33 INFO - r15 = 0x0000000000000003 rip = 0x000000010111326f 15:16:33 INFO - rsp = 0x00007fff5fbfd340 rbp = 0x00007fff5fbfd370 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 9 XUL!nsInputStreamReadyEvent::Run() [nsStreamUtils.cpp:8ca6961857f5 : 85 + 0x8] 15:16:33 INFO - rbx = 0x000000010a32d928 r12 = 0x0000000106404e20 15:16:33 INFO - r13 = 0x00007fff5fbfd467 r14 = 0x000000010a32abd8 15:16:33 INFO - r15 = 0x0000000000000000 rip = 0x0000000102d6f909 15:16:33 INFO - rsp = 0x00007fff5fbfd380 rbp = 0x00007fff5fbfd390 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 10 XUL!nsThread::ProcessNextEvent(bool, bool*) [nsThread.cpp:8ca6961857f5 : 622 + 0x5] 15:16:33 INFO - rbx = 0x0000000106404e20 r12 = 0x0000000106404e20 15:16:33 INFO - r13 = 0x00007fff5fbfd467 r14 = 0x0000000106404e60 15:16:33 INFO - r15 = 0x0000000000000000 rip = 0x0000000102d8935e 15:16:33 INFO - rsp = 0x00007fff5fbfd3a0 rbp = 0x00007fff5fbfd450 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 11 XUL!NS_ProcessPendingEvents(nsIThread*, unsigned int) [nsThreadUtils.cpp:8ca6961857f5 : 201 + 0xe] 15:16:33 INFO - rbx = 0x0000000000000000 r12 = 0x0000000106404e20 15:16:33 INFO - r13 = 0x00007fff5fbfd467 r14 = 0x0000000000000014 15:16:33 INFO - r15 = 0x000000000007010a rip = 0x0000000102d291ed 15:16:33 INFO - rsp = 0x00007fff5fbfd460 rbp = 0x00007fff5fbfd490 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 12 XUL!nsBaseAppShell::NativeEventCallback() [nsBaseAppShell.cpp:8ca6961857f5 : 95 + 0xe] 15:16:33 INFO - rbx = 0x0000000106291bf0 r12 = 0x0000000000000000 15:16:33 INFO - r13 = 0x0000000106202c10 r14 = 0x0000000106404e20 15:16:33 INFO - r15 = 0x0000000106291b00 rip = 0x000000010256ea8a 15:16:33 INFO - rsp = 0x00007fff5fbfd4a0 rbp = 0x00007fff5fbfd4c0 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 13 XUL!nsAppShell::ProcessGeckoEvents(void*) [nsAppShell.mm:8ca6961857f5 : 388 + 0x7] 15:16:33 INFO - rbx = 0x0000000106430a30 r12 = 0x0000000000000000 15:16:33 INFO - r13 = 0x0000000106202c10 r14 = 0x0000000106430a48 15:16:33 INFO - r15 = 0x0000000106291bf0 rip = 0x00000001024f5eef 15:16:33 INFO - rsp = 0x00007fff5fbfd4d0 rbp = 0x00007fff5fbfd510 15:16:33 INFO - Found by: call frame info 15:16:33 INFO - 14 CoreFoundation + 0x12840 15:16:33 INFO - rbx = 0x0000000106430a30 r12 = 0x0000000000000000 15:16:33 INFO - r13 = 0x0000000106202c10 r14 = 0x0000000106430a48 15:16:33 INFO - r15 = 0x0000000106202d88 rip = 0x00007fff8f2d2841 15:16:33 INFO - rsp = 0x00007fff5fbfd520 rbp = 0x00007fff5fbfd520 15:16:33 INFO - Found by: call frame info
|
|
Assignee | |
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
|
||
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•