Closed
Bug 952570
Opened 11 years ago
Closed 10 years ago
Weak tickler pointer is unsafe
Categories
(Core :: Networking, defect)
Tracking
()
RESOLVED
FIXED
mozilla29
People
(Reporter: jdm, Assigned: gentlefolk)
Details
(Whiteboard: [mentor=jdm][lang=c++])
Attachments
(1 file, 8 obsolete files)
1.85 KB,
patch
|
jdm
:
review+
|
Details | Diff | Splinter Review |
The mTickler weak pointer member in TicklerTimer isn't safe, because do_QueryReferent cannot be used to convert a weak pointer into a concrete C++ type. It happens to work because Ticker only inherits from nsISupports, however this means that if any other nsISupports-derived pointer was stored in mTickler instead, the query would "succeed", but any operations on the resulting concrete Tickler type would be unsafe. The correct fix here is to switch from nsWeakPtr/nsSupportsWeakReference to mfbt's WeakPtr and SupportsWeakPtr types instead (http://mxr.mozilla.org/mozilla-central/source/mfbt/WeakPtr.h).
Reporter | ||
Comment 1•11 years ago
|
||
The problematic code lives in http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/Tickler.cpp and http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/Tickler.h .
Assignee | ||
Comment 2•11 years ago
|
||
I'd like to take this on as a first bug if possible.
Reporter | ||
Comment 3•11 years ago
|
||
It's yours! Please ask questions if anything in comment 0 or comment 1 is unclear.
Assignee: nobody → cemacken
Assignee | ||
Comment 4•11 years ago
|
||
Thanks! Are there tests I can use to verify my changes or is this going to be a "correct by design" sort of fix?
Reporter | ||
Comment 5•11 years ago
|
||
Looks like the latter. This seems to only be used on Android, and seems to be tied into the general operation of the networking layer.
Assignee | ||
Comment 6•11 years ago
|
||
Attachment #8351401 -
Flags: review?(josh)
Reporter | ||
Comment 7•11 years ago
|
||
Comment on attachment 8351401 [details] [diff] [review] bug952570_ticklerpointer.diff Review of attachment 8351401 [details] [diff] [review]: ----------------------------------------------------------------- We'll have a peer of the network module review this once you address my comment. Nice job! ::: netwerk/base/src/Tickler.cpp @@ -258,5 @@ > NS_IMPL_ISUPPORTS1(TicklerTimer, nsITimerCallback) > > NS_IMETHODIMP TicklerTimer::Notify(nsITimer *timer) > { > - nsRefPtr<Tickler> tickler = do_QueryReferent(mTickler); I would be inclined to leave the nsRefPtr and maintain a strong reference to the original tickler object to ensure that it remains alive throughout this method.
Attachment #8351401 -
Flags: review?(josh) → feedback+
Assignee | ||
Comment 8•11 years ago
|
||
Attachment #8351405 -
Flags: review?(josh)
Reporter | ||
Comment 9•11 years ago
|
||
Comment on attachment 8351405 [details] [diff] [review] bug952570_ticklerpointer.diff - Addressed feedback from comment 7 Review of attachment 8351405 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/base/src/Tickler.h @@ +53,5 @@ > namespace net { > > #ifdef MOZ_USE_WIFI_TICKLER > > +class Tickler MOZ_FINAL : public nsSupportsWeakReference, Oh, I didn't notice this before. We shouldn't inherit from this type any longer, and I don't think we need to include nsWeakReference.h either.
Attachment #8351405 -
Flags: review?(josh)
Reporter | ||
Comment 10•11 years ago
|
||
If there are build errors as a result, look into the NS_INLINE_DECL_REFCOUNTING macro: http://mxr.mozilla.org/mozilla-central/source/xpcom/glue/nsISupportsImpl.h#362
Assignee | ||
Comment 11•11 years ago
|
||
Attachment #8351408 -
Flags: review?(josh)
Reporter | ||
Comment 12•11 years ago
|
||
Comment on attachment 8351408 [details] [diff] [review] bug952570_ticklerpointer.diff - Addressed feedback from comment 9 Review of attachment 8351408 [details] [diff] [review]: ----------------------------------------------------------------- ::: netwerk/base/src/Tickler.h @@ -57,3 @@ > { > public: > NS_DECL_THREADSAFE_ISUPPORTS Ack, I apologize for the multiple passes here; this line should change to the macro I suggested before, and http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/Tickler.cpp#21 will need to go away.
Attachment #8351408 -
Flags: review?(josh)
Assignee | ||
Comment 13•11 years ago
|
||
Should I replace the line above with http://mxr.mozilla.org/mozilla-central/source/xpcom/glue/nsISupportsImpl.h#362 or http://mxr.mozilla.org/mozilla-central/source/xpcom/glue/nsISupportsImpl.h#397? There are two additional occurrences of NS_DECL_THREADSAFE_ISUPPORTS of at: http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/Tickler.cpp#2179 http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/Tickler.h#106 Should we replace the above as well?
Assignee | ||
Comment 14•11 years ago
|
||
http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/Tickler.cpp#2179 should be http://mxr.mozilla.org/mozilla-central/source/netwerk/base/src/Tickler.cpp#217
Reporter | ||
Comment 15•11 years ago
|
||
Good catches. If you're replacing a THREADSAFE_ISUPPORTS, use the equivalent THREADSAFE_REFCOUNTING. You should go ahead and replace it in both Tickler definitions, and make the other one not inherit from anything. With regards to the TicklerTimer, that should stay as it is, since it's an XPCOM timer implementation and there's nothing incorrect about it.
Assignee | ||
Comment 16•11 years ago
|
||
Attachment #8351410 -
Flags: review?(josh)
Reporter | ||
Comment 17•11 years ago
|
||
Comment on attachment 8351410 [details] [diff] [review] bug952570_ticklerpointer.diff - Addressed feedback from comment 12 Review of attachment 8351410 [details] [diff] [review]: ----------------------------------------------------------------- You can make the next review go to :mcmanus, who originally created this file according to hg log. Thanks! ::: netwerk/base/src/Tickler.h @@ +57,3 @@ > { > public: > + NS_INLINE_DECL_THREADSAFE_REFCOUNTING(Ticker) s/Ticker/Tickler/
Attachment #8351410 -
Flags: review?(josh) → feedback+
Assignee | ||
Comment 18•11 years ago
|
||
Attachment #8351420 -
Flags: review?(mcmanus)
Comment 19•11 years ago
|
||
Craig, jdm - happy new year and thanks for the patch!
Updated•11 years ago
|
Attachment #8351420 -
Flags: review?(mcmanus) → review+
Reporter | ||
Updated•11 years ago
|
Attachment #8351410 -
Attachment is obsolete: true
Reporter | ||
Updated•11 years ago
|
Attachment #8351408 -
Attachment is obsolete: true
Reporter | ||
Updated•11 years ago
|
Attachment #8351405 -
Attachment is obsolete: true
Reporter | ||
Updated•11 years ago
|
Attachment #8351401 -
Attachment is obsolete: true
Reporter | ||
Comment 20•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8df72b4ee2f1
Reporter | ||
Comment 21•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9f9f1067aea9 Whoops, I should have run it through tryserver first. The android build is broken by these changes; Craig, could you look at the logs at https://tbpl.mozilla.org/php/getParsedLog.php?id=32477609&tree=Mozilla-Inbound and fix the patch up?
Comment 22•11 years ago
|
||
Comment on attachment 8351420 [details] [diff] [review] bug952570_ticklerpointer.diff - Fixed all nitial review comments Review of attachment 8351420 [details] [diff] [review]: ----------------------------------------------------------------- Are we sure using the weakptr is thread-safe? this is apparently being ran on multiple threads. and AFAIK the code for WeakPtr is definitely not thread safe. ::: netwerk/base/src/Tickler.cpp @@ +290,2 @@ > } // namespace mozilla::net > } // namespace mozilla so this whole block can be now removed?
Reporter | ||
Comment 23•11 years ago
|
||
(In reply to Honza Bambas (:mayhemer) from comment #22) > Comment on attachment 8351420 [details] [diff] [review] > bug952570_ticklerpointer.diff - Fixed all nitial review comments > > Review of attachment 8351420 [details] [diff] [review]: > ----------------------------------------------------------------- > > Are we sure using the weakptr is thread-safe? this is apparently being ran > on multiple threads. and AFAIK the code for WeakPtr is definitely not > thread safe. What specific concerns do you have? I don't see any code dealing with threading concerns in nsWeakReference/nsSupportsWeakReference either.
Comment 24•11 years ago
|
||
recently I found out that we are using nsWeakPtr in the new cache wrong and that it is probably a cause of crashes. Scenario: - thread A drops the refcnt to 0, enters the branch that does |delete this| - before thread A reaches the |delete this| line thread B takes and addrefs the referent from weakreference object since we set the *referent* t o NULL from the object's dtor that has not been reached yet - thread A calls |delete this| - thread B works on a deleted object and when it's released it may be (depending on in what state the heap is) double deleted Makes sense?
Assignee | ||
Comment 25•11 years ago
|
||
Re: Comment 21 - I'll look into the android build failures.
Assignee | ||
Comment 26•10 years ago
|
||
Re: Comment 21: The issue with the android build was the change made to address Comment 7. See https://bugzilla.mozilla.org/attachment.cgi?id=8351420&action=diff#a/netwerk/base/src/Tickler.cpp_sec4. The ARM compiler is complaining that we cannot assign a WeakPtr directly to an nsRefPtr object. This can be corrected with a cast, but since I'm not very familiar with the reference counting objects in use I'd like some input on whether this is a reasonable thing to do.
Reporter | ||
Comment 27•10 years ago
|
||
I think |nsRefPtr<Tickler> tickler(mTickler)| should coerce properly.
Reporter | ||
Comment 28•10 years ago
|
||
Comment on attachment 8351420 [details] [diff] [review] bug952570_ticklerpointer.diff - Fixed all nitial review comments Sorry, Craig, but Honza's comment and bug 956327 necessitate a different solution for this bug. The code that exists is still unsafe, but our weak pointer implementations don't handle multiple threads correctly. The solution we should implement is to add an IID to Tickler (NS_DECLARE_STATIC_IID_ACCESSOR and NS_DEFINE_STATIC_IID_ACCESSOR), and change the NS_IMPL_ISUPPORTS1 to add Tickler to the list. This should make the nsRefPtr usage correct, and we'll address the threading problems elsewhere.
Attachment #8351420 -
Flags: review+ → review-
Assignee | ||
Comment 29•10 years ago
|
||
Sure, I'll put together a new patch implementing your suggestions above.
Assignee | ||
Comment 30•10 years ago
|
||
Attachment #8355932 -
Flags: review?(josh)
Reporter | ||
Comment 31•10 years ago
|
||
Comment on attachment 8355932 [details] [diff] [review] bug952570_tickleriid.diff - Addressed feedback from comment 28 This is missing a change to NS_IMPL_ISUPPORTS, otherwise nothing is actually using the new IID.
Assignee | ||
Comment 32•10 years ago
|
||
Ah, I misinterpreted that as reinstating the line that was removed in the original patch. How should I modify the existing ISUPPORTS? It isn't clear to me what specifically needs to change.
Reporter | ||
Comment 33•10 years ago
|
||
If there's an NS_IMPL_ISUPPORTSN, it should become NS_IMPL_ISUPPORTS(N+1) with an additional argument of Tickler. This indicates that attempts to query for the new Tickler IID should succeed and return the Tickler class.
Assignee | ||
Comment 34•10 years ago
|
||
Attachment #8355932 -
Attachment is obsolete: true
Attachment #8355932 -
Flags: review?(josh)
Attachment #8356284 -
Flags: review?(josh)
Reporter | ||
Comment 35•10 years ago
|
||
Comment on attachment 8356284 [details] [diff] [review] bug952570_tickleriid.diff - Addressed feedback from comment 33 > NS_IMPL_ISUPPORTS1(Tickler, nsISupportsWeakReference) >+NS_IMPL_ISUPPORTS2(Tickler) Sorry, this won't build :) NS_IMPL_ISUPPORTS2(Tickler, nsISupportsWeakReference, Tickler) should replace the existing NS_IMPL_ISUPPORTS1
Attachment #8356284 -
Flags: review?(josh) → review-
Assignee | ||
Comment 36•10 years ago
|
||
Attachment #8356284 -
Attachment is obsolete: true
Attachment #8356321 -
Flags: review?(josh)
Reporter | ||
Comment 37•10 years ago
|
||
Comment on attachment 8356321 [details] [diff] [review] bug952570_tickleriid.diff - Addressed feedback from comment 35 I'll throw this at the tryserver and make sure it builds.
Attachment #8356321 -
Flags: review?(josh) → review+
Reporter | ||
Comment 38•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=cf5d3319ed61
Reporter | ||
Comment 39•10 years ago
|
||
Whoops, build error on Android, since we're missing an actual definition of NS_TICKLER_IID. See http://mxr.mozilla.org/mozilla-central/source/accessible/public/nsIAccessibilityService.h#29 for an example of one; just run `mach uuid` and split the result up into the appropriate groupings for Tickler's. (oh, and be sure to mark old patches as obsolete when you upload new ones)
Assignee | ||
Comment 40•10 years ago
|
||
Attachment #8351420 -
Attachment is obsolete: true
Attachment #8356321 -
Attachment is obsolete: true
Attachment #8358105 -
Flags: review?(josh)
Reporter | ||
Comment 41•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=e27e61283f20
Reporter | ||
Comment 42•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/fc819f136ef8
Reporter | ||
Comment 43•10 years ago
|
||
Comment on attachment 8358105 [details] [diff] [review] bug952570_tickleriid.diff - Fixed build error on Android (comment 39) Review of attachment 8358105 [details] [diff] [review]: ----------------------------------------------------------------- Whoops, forgot the r+.
Attachment #8358105 -
Flags: review?(josh) → review+
Comment 44•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fc819f136ef8
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
You need to log in
before you can comment on or make changes to this bug.
Description
•