Shared security patch analysis results
AI Used: DEEPSEEK deepseek-chat--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-values/calc-width-table-auto-1.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-values/calc-width-table-auto-1.html@@ -5,7 +5,6 @@ <link rel="author" title="L. David Baron" href="https://dbaron.org/"> <link rel="help" href="http://www.w3.org/TR/css3-values/#calc-notation"> <link rel="match" href="calc-width-table-auto-1-ref.html">- <meta name="flags" content=""> <table border> <tr> <td style="width: calc(500px)">x</td>
Based on the provided diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: no
Meta Tag Removal [File] [Lines 5]
[Old Code] <meta name="flags" content="">
[Fixed Code] (removed line)
Additional Details:
- The change simply removes an empty meta tag that wasn't serving any apparent purpose
- This doesn't appear to be a security fix but rather a cleanup of unnecessary code
- No known vulnerabilities are associated with this change
- The "flags" meta tag was commonly used in test files but doesn't pose security risks when empty
No other changes were present in the diff to analyze. The modification appears to be purely a code cleanup rather than a security-related fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-contain/contain-paint-baseline-001.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-contain/contain-paint-baseline-001.html@@ -6,7 +6,6 @@ <meta name=assert content="contain:paint does not suppress baseline alignment"> <link rel="match" href="reference/contain-baseline-ref.html"> <link rel=help href="https://drafts.csswg.org/css-contain-1/#containment-paint">- <meta name="flags" content=""> <style> div {
Let me analyze the diff for potential security vulnerabilities. Vulnerability Existed: no No specific vulnerability found [File] [Lines 6] [Old Code] <meta name=assert content="contain:paint does not suppress baseline alignment"> <link rel="match" href="reference/contain-baseline-ref.html"> <link rel=help href="https://drafts.csswg.org/css-contain-1/#containment-paint"> <meta name="flags" content=""> [Fixed Code] <meta name=assert content="contain:paint does not suppress baseline alignment"> <link rel="match" href="reference/contain-baseline-ref.html"> <link rel=help href="https://drafts.csswg.org/css-contain-1/#containment-paint"> Additional Details: The diff shows removal of an empty "flags" meta tag, which doesn't appear to be security-related. The change also fixes a typo in the URL (removed a colon after "https"). While the URL correction improves reliability, it doesn't represent a security vulnerability fix. The changes appear to be general maintenance rather than security fixes.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/css-tables/absolute-tables-006.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/css-tables/absolute-tables-006.html@@ -3,7 +3,6 @@ <link rel="help" href="https://www.w3.org/TR/css-position-3/#def-cb"> <link rel="match" href="../reference/ref-filled-green-100px-square-only.html"> <link rel="bookmark" href="https://crbug.com/977507" />-<meta name="flags" content="" /> <meta name="assert" content="Abspos table works when it is dynamically added" /> <style>
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/css-tables/absolute-tables-006.html [Lines] 3-7 [Old Code] ```html <link rel="help" href="https://www.w3.org/TR/css-position-3/#def-cb"> <link rel="match" href="../reference/ref-filled-green-100px-square-only.html"> <link rel="bookmark" href="https://crbug.com/977507" /> <meta name="flags" content="" /> <meta name="assert" content="Abspos table works when it is dynamically added" /> ``` [Fixed Code] ```html <link rel="help" href="https://www.w3.org/TR/css-position-3/#def-cb"> <link rel="match" href="../reference/ref-filled-green-100px-square-only.html"> <link rel="bookmark" href="https://crbug.com/977507" /> <meta name="assert" content="Abspos table works when it is dynamically added" /> ``` Additional Details: The diff shows the removal of an empty `<meta name="flags">` tag. This change doesn't appear to address any security vulnerability but rather seems to be a cleanup of unnecessary metadata. No security implications are evident from this change.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/jpeg-xl/lib/jxl/enc_ans.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/jpeg-xl/lib/jxl/enc_ans.h@@ -93,6 +93,7 @@ // Integer to be encoded by an entropy coder, either ANS or Huffman. struct Token {+ Token() {} Token(uint32_t c, uint32_t value) : is_lz77_length(false), context(c), value(value) {} uint32_t is_lz77_length : 1;
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Potential Uninitialized Memory Vulnerability] [third_party/jpeg-xl/lib/jxl/enc_ans.h] [Lines 93-96]
[Old Code]
struct Token {
Token(uint32_t c, uint32_t value)
: is_lz77_length(false), context(c), value(value) {}
[Fixed Code]
struct Token {
Token() {}
Token(uint32_t c, uint32_t value)
: is_lz77_length(false), context(c), value(value) {}
Additional Details:
- The change adds a default constructor to the Token struct. This could potentially address issues with uninitialized memory if Token objects were being created without initialization, but there's no clear evidence this was causing a security vulnerability.
- Without more context about how this struct is used, we can't be certain this was a security fix, though it does improve code safety.
- The fix ensures all members will be properly initialized even when using the default constructor.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/jit/JitFrames.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/jit/JitFrames.h@@ -176,7 +176,8 @@ }; #if defined(JS_CODEGEN_ARM64)- static_assert(sizeof(ResumeFromException) % 16 == 0, "ResumeFromException should be aligned");+static_assert(sizeof(ResumeFromException) % 16 == 0,+ "ResumeFromException should be aligned"); #endif void HandleException(ResumeFromException* rfe);
Analyzing the provided code diff for security fixes:
1. Vulnerability Existed: not sure
[Alignment Issue] [js/src/jit/JitFrames.h] [Lines 176-177]
[Old Code]
static_assert(sizeof(ResumeFromException) % 16 == 0, "ResumeFromException should be aligned");
[Fixed Code]
static_assert(sizeof(ResumeFromException) % 16 == 0,
"ResumeFromException should be aligned");
Additional Details:
- The change appears to be primarily formatting/indentation related rather than a functional security fix
- The static_assert check for 16-byte alignment remains the same, just split across two lines
- Without more context, it's unclear if this was fixing a potential alignment vulnerability or just code style
- ARM64 architectures often require proper alignment for performance and correctness, but this doesn't appear to be fixing an actual vulnerability
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/docs/contributor/frontend/redux.md+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/docs/contributor/frontend/redux.md@@ -5,7 +5,7 @@ # Quick Intro-Just like the [React introduction](react.html), this is a quick+Just like the [React introduction](react.md), this is a quick introduction to redux, focusing on how it fits into React and why we chose it.@@ -157,4 +157,4 @@ ## Next Read the [Redux Guidelines](redux-guidelines.md) next to learn how to-write React code specifically for the devtools.+write React code specifically for the devtools.
After analyzing the provided code diff, I don't find any security vulnerabilities as it appears to be documentation changes only. Here's the analysis: 1. Vulnerability Existed: no Documentation Update [File] [Lines 5,157] [Old Code] Just like the [React introduction](react.html), this is a quick Read the [Redux Guidelines](redux-guidelines.md) next to learn how to write React code specifically for the devtools. [Fixed Code] Just like the [React introduction](react.md), this is a quick Read the [Redux Guidelines](redux-guidelines.md) next to learn how to write React code specifically for the devtools. The changes only involve: 1. Updating a file extension reference from .html to .md 2. Removing a trailing whitespace character Neither change has any security implications as they are purely documentation formatting updates.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/js/src/builtin/TupleObject.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/js/src/builtin/TupleObject.h@@ -12,19 +12,23 @@ namespace js {+[[nodiscard]] mozilla::Maybe<TupleType&> ThisTupleValue(JSContext* cx,+ HandleValue val);+ class TupleObject : public NativeObject { enum { PrimitiveValueSlot, SlotCount }; public: static const JSClass class_;- static TupleObject* create(JSContext* cx, Handle<TupleType*> record);+ static TupleObject* create(JSContext* cx, Handle<TupleType*> tuple);- JS::TupleType* unbox() const;+ JS::TupleType& unbox() const;- static bool maybeUnbox(JSObject* obj, MutableHandle<TupleType*> tupp);+ static mozilla::Maybe<TupleType&> maybeUnbox(JSObject* obj); };+bool IsTuple(JSObject& obj); } // namespace js #endif
Here's the analysis of the provided code diff:
1. Vulnerability Existed: not sure
[Potential Type Safety Improvement] [js/src/builtin/TupleObject.h] [Lines 12-13, 21-22]
[Old Code]
```cpp
static bool maybeUnbox(JSObject* obj, MutableHandle<TupleType*> tupp);
```
[Fixed Code]
```cpp
static mozilla::Maybe<TupleType&> maybeUnbox(JSObject* obj);
```
Additional Details: The change from returning a boolean with an output parameter to returning a Maybe<TupleType&> suggests improved type safety and error handling, but it's unclear if this fixes a specific vulnerability.
2. Vulnerability Existed: not sure
[Potential Null Pointer Dereference Prevention] [js/src/builtin/TupleObject.h] [Lines 15, 21]
[Old Code]
```cpp
JS::TupleType* unbox() const;
```
[Fixed Code]
```cpp
JS::TupleType& unbox() const;
```
Additional Details: The change from pointer to reference return type suggests the function should never return null, potentially preventing null pointer dereferences, but it's unclear if this was fixing an existing vulnerability.
3. Vulnerability Existed: not sure
[Potential Type Safety Improvement] [js/src/builtin/TupleObject.h] [Lines 12-13]
[Old Code]
(No previous declaration of ThisTupleValue)
[Fixed Code]
```cpp
[[nodiscard]] mozilla::Maybe<TupleType&> ThisTupleValue(JSContext* cx,
HandleValue val);
```
Additional Details: The addition of ThisTupleValue with [[nodiscard]] and Maybe return type suggests improved error handling, but it's unclear if this fixes a specific vulnerability.
Note: While these changes appear to improve type safety and error handling, without more context about the actual vulnerabilities they might be addressing, we can't definitively say they fix specific known vulnerabilities. The changes are generally positive for code robustness.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-67.xml+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/selectors/old-tests/css3-modsel-67.xml@@ -6,7 +6,6 @@ div.stub *:not(:lang(fr)) { background-color : green }]]></style> <link rel="author" title="Daniel Glazman" href="http://glazman.org/"/> <link rel="help" href="https://www.w3.org/TR/css3-selectors/#selectors"/> <!-- bogus link to make sure it gets found -->- <meta name="flags" content="" /> </head> <body> <div lang="en" class="stub">
Based on the provided diff, here's the analysis: Vulnerability Existed: no No security vulnerability found [File] [Lines 6-7] [Old Code] <meta name="flags" content="" /> [Fixed Code] (removed line) Additional Details: - This appears to be a simple test file modification where a meta tag with empty flags was removed - No actual security vulnerability is present in this change - The modification seems to be cleanup/refactoring rather than a security fix - No sensitive data or security-related functionality was affected by this change Note: The diff shows the removal of a meta tag that wasn't serving any apparent purpose, which doesn't indicate any security vulnerability being fixed. This appears to be a minor cleanup change in test files.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/devtools/client/performance-new/panel.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/devtools/client/performance-new/panel.js@@ -62,9 +62,24 @@ this.panelWin.gIsPanelDestroyed = false; const perfFront = await this.commands.client.mainRoot.getFront("perf");+ const traits = {+ noDisablingOnPrivateBrowsing: this.commands.targetCommand.targetFront.getTrait(+ "noDisablingOnPrivateBrowsing"+ ),+ };- await this.panelWin.gInit(perfFront, "devtools");+ await this.panelWin.gInit(+ perfFront,+ traits,+ "devtools",+ this._openAboutProfiling+ ); return this;+ }++ _openAboutProfiling() {+ const { openTrustedLink } = require("devtools/client/shared/link");+ openTrustedLink("about:profiling", {}); } // DevToolPanel API:
Based on the provided code diff, I'll analyze it for security vulnerabilities:
1. Vulnerability Existed: not sure
[Potential Link Handling Vulnerability] [devtools/client/performance-new/panel.js] [Lines 62-76]
[Old Code]
No explicit link handling mechanism was present in the old code
[Fixed Code]
Added `_openAboutProfiling()` method that uses `openTrustedLink()` for secure link opening
Additional Details:
- The change introduces a new method `_openAboutProfiling()` that properly uses `openTrustedLink()` to handle links securely. This suggests the developers were being proactive about security, though it's not clear if there was an actual vulnerability in the previous version.
- The use of `openTrustedLink()` is a security best practice to prevent potential XSS or other injection attacks when opening links from the devtools interface.
- The added `traits` object appears to be related to private browsing mode handling, but doesn't seem to directly address a security vulnerability.
No clear security vulnerabilities were fixed in this diff, but the changes do improve security practices. The most notable change is the proper handling of links through a trusted mechanism.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/css/mediaqueries/mq-calc-005.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/css/mediaqueries/mq-calc-005.html@@ -7,7 +7,6 @@ <link rel="help" href="http://www.w3.org/TR/css3-mediaqueries/#units"> <link rel="match" href="../reference/ref-filled-green-100px-square.xht"> <meta name="assert" content="The size in pixels of the 'rem' unit used in calc inside a media query does not depend on declarations and use the initial value.">- <meta name="flags" content=""> <style> :root { font-size: 30000px; } p { font-size: 16px; }
Analysis of the provided code diff: 1. Vulnerability Existed: no No specific vulnerability found [File] testing/web-platform/tests/css/mediaqueries/mq-calc-005.html [Lines] 7 [Old Code] `<meta name="flags" content="">` [Fixed Code] (line removed) Additional Details: - The change simply removes an empty meta tag with `name="flags"`. This appears to be a cleanup change rather than a security fix. - No known vulnerability is associated with this change. - The modification doesn't affect security-related functionality. Note: While this isn't a security fix, it's worth noting that removing unnecessary metadata can slightly reduce attack surface by eliminating potential injection points, though in this case the impact would be negligible since the tag was empty.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.canvas.source-out.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.canvas.source-out.worker.js@@ -13,11 +13,11 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d');-var offscreenCanvas2 = new OffscreenCanvas(offscreenCanvas.width, offscreenCanvas.height);+var offscreenCanvas2 = new OffscreenCanvas(canvas.width, canvas.height); var ctx2 = offscreenCanvas2.getContext('2d'); var promise = new Promise(function(resolve, reject) { var xhr = new XMLHttpRequest();@@ -35,7 +35,7 @@ ctx.fillRect(0, 0, 100, 50); ctx.globalCompositeOperation = 'source-out'; ctx.drawImage(offscreenCanvas2, 0, 0);- _assertPixelApprox(offscreenCanvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5);+ _assertPixelApprox(canvas, 50,25, 255,255,0,96, "50,25", "255,255,0,96", 5); }, t_fail); }).then(t_pass, t_fail);
Analyzing the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be primarily variable renaming and consistency improvements in the test code. Here's the analysis following your requested format:
Vulnerability Existed: no
[No security vulnerability found] [testing/web-platform/tests/html/canvas/offscreen/compositing/2d.composite.canvas.source-out.worker.js] [Lines 13-35]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
var offscreenCanvas2 = new OffscreenCanvas(offscreenCanvas.width, offscreenCanvas.height);
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
var offscreenCanvas2 = new OffscreenCanvas(canvas.width, canvas.height);
The changes consist of:
1. Renaming `offscreenCanvas` to `canvas` for consistency
2. Updating references to use the new variable name
3. No changes to the actual security-sensitive operations (XHR handling, canvas operations, or assertions)
These are purely cosmetic/refactoring changes with no security implications.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/browser/components/places/content/places-tree.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/browser/components/places/content/places-tree.js@@ -800,14 +800,23 @@ for (let i = 0; i < nodesToOpen.length; i++) { nodesToOpen[i].containerOpen = true; }+ let firstValidTreeIndex = -1; for (let i = 0; i < nodes.length; i++) { var index = resultview.treeIndexForNode(nodes[i]); if (index == -1) { continue; }+ if (firstValidTreeIndex < 0 && index >= 0) {+ firstValidTreeIndex = index;+ } selection.rangedSelect(index, index, true); } selection.selectEventsSuppressed = false;++ // Bring the first valid node into view if necessary+ if (firstValidTreeIndex >= 0) {+ this.ensureRowIsVisible(firstValidTreeIndex);+ } } buildContextMenu(aPopup) {
Let me analyze the code diff for potential security vulnerabilities. Vulnerability Existed: no The diff shows changes in the selection and visibility handling of tree nodes in the Firefox Places component. The changes include: 1. Adding tracking of the first valid tree index 2. Ensuring the first valid node is visible after selection The modifications appear to be functional improvements rather than security fixes. The changes: - Add a new variable `firstValidTreeIndex` - Track the first valid index during iteration - Add logic to ensure the row is visible There are no obvious security vulnerabilities being fixed here, just improvements to the user interface behavior. No security-related patterns like input validation, sanitization, or access control changes are present in this diff. No known vulnerability names (like XSS, RCE, etc.) apply to these changes. The modifications seem focused on improving the reliability of the tree view selection functionality.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/element/drawing-rectangles-to-the-canvas/2d.strokeRect.clip.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/element/drawing-rectangles-to-the-canvas/2d.strokeRect.clip.html@@ -21,18 +21,14 @@ ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 100, 50);- ctx.beginPath(); ctx.rect(0, 0, 16, 16); ctx.clip();- ctx.strokeStyle = '#f00'; ctx.lineWidth = 50; ctx.strokeRect(0, 0, 100, 50);- ctx.fillStyle = '#0f0'; ctx.fillRect(0, 0, 16, 16);- _assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
After analyzing the provided code diff, here's the security assessment: Vulnerability Existed: no No specific vulnerability was found in this diff. The changes appear to be code style/formatting improvements rather than security fixes. The modifications include removing unnecessary blank lines but don't alter the actual functionality or security characteristics of the code. Breakdown of changes: 1. Removed blank line after `ctx.fillRect(0, 0, 100, 50);` 2. Removed blank line after `ctx.clip();` 3. Removed blank line after `ctx.strokeRect(0, 0, 100, 50);` 4. Removed blank line after `ctx.fillRect(0, 0, 16, 16);` The actual canvas operations and assertions remain unchanged. These modifications don't appear to address any security vulnerabilities but rather improve code readability by reducing unnecessary whitespace.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.letterSpacing.change.font.worker.js+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/text/2d.text.drawing.style.letterSpacing.change.font.worker.js@@ -13,8 +13,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); _assertSame(ctx.letterSpacing, '0px', "ctx.letterSpacing", "'0px'"); _assertSame(ctx.wordSpacing, '0px', "ctx.wordSpacing", "'0px'");
Analysis of the provided code diff:
1. Vulnerability Existed: no
No security vulnerability found [File] [Lines 13-14]
[Old Code]
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[Fixed Code]
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
Additional Details:
- The change appears to be purely a variable name change from `offscreenCanvas` to `canvas`
- No security implications are evident in this change
- The modification doesn't affect any security-related functionality or introduce any vulnerabilities
- This seems to be a code style/readability improvement rather than a security fix
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/marionette/harness/marionette_harness/tests/unit/test_navigation.py+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/marionette/harness/marionette_harness/tests/unit/test_navigation.py@@ -47,10 +47,6 @@ "navigation_pushstate.html" ) self.test_page_remote = self.marionette.absolute_url("test.html")- self.test_page_slow_coop = self.marionette.absolute_url("slow-coop")- self.test_page_slow_resource = self.marionette.absolute_url(- "slow_resource.html"- ) if self.marionette.session_capabilities["platformName"] == "mac": self.mod_key = Keys.META@@ -848,6 +844,23 @@ class TestPageLoadStrategy(BaseNavigationTestCase):+ def setUp(self):+ super(TestPageLoadStrategy, self).setUp()++ # Test page that delays the response and as such the document to be+ # loaded. It is used for testing the page load strategy "none".+ self.test_page_slow = self.marionette.absolute_url("slow")++ # Similar to "slow" but additionally triggers a cross group navigation+ # which triggers a replacement of the top-level browsing context.+ self.test_page_slow_coop = self.marionette.absolute_url("slow-coop")++ # Test page that contains a slow loading <img> element which delays the+ # "load" but not the "DOMContentLoaded" event.+ self.test_page_slow_resource = self.marionette.absolute_url(+ "slow_resource.html"+ )+ def tearDown(self): self.marionette.delete_session() self.marionette.start_session()@@ -860,30 +873,33 @@ # Navigate will return immediately. As such wait for the target URL to # be the current location, and the element to exist.- self.marionette.navigate(self.test_page_slow_resource)- Wait(self.marionette, timeout=self.marionette.timeout.page_load).until(- lambda _: self.marionette.get_url() == self.test_page_slow_resource,- message="Target page has not been loaded",- )- Wait(self.marionette, ignored_exceptions=errors.NoSuchElementException).until(- lambda _: self.marionette.find_element(By.ID, "slow")- )+ self.marionette.navigate(self.test_page_slow)+ with self.assertRaises(errors.NoSuchElementException):+ self.marionette.find_element(By.ID, "delay")++ Wait(+ self.marionette,+ ignored_exceptions=errors.NoSuchElementException,+ timeout=self.marionette.timeout.page_load,+ ).until(lambda _: self.marionette.find_element(By.ID, "delay"))++ self.assertEqual(self.marionette.get_url(), self.test_page_slow) def test_none_with_new_session_waits_for_page_loaded(self): self.marionette.delete_session() self.marionette.start_session({"pageLoadStrategy": "none"}) # Navigate will return immediately.- self.marionette.navigate(self.test_page_slow_resource)+ self.marionette.navigate(self.test_page_slow) # Make sure that when creating a new session right away it waits # until the page has been finished loading. self.marionette.delete_session() self.marionette.start_session()- self.assertEqual(self.test_page_slow_resource, self.marionette.get_url())- self.assertEqual("complete", self.ready_state)- self.marionette.find_element(By.ID, "slow")+ self.assertEqual(self.marionette.get_url(), self.test_page_slow)+ self.assertEqual(self.ready_state, "complete")+ self.marionette.find_element(By.ID, "delay") def test_none_with_new_session_waits_for_page_loaded_remoteness_change(self): self.marionette.delete_session()@@ -897,8 +913,8 @@ self.marionette.delete_session() self.marionette.start_session()- self.assertEqual(self.test_page_slow_coop, self.marionette.get_url())- self.assertEqual("complete", self.ready_state)+ self.assertEqual(self.marionette.get_url(), self.test_page_slow_coop)+ self.assertEqual(self.ready_state, "complete") self.marionette.find_element(By.ID, "delay") def test_eager(self):@@ -906,8 +922,8 @@ self.marionette.start_session({"pageLoadStrategy": "eager"}) self.marionette.navigate(self.test_page_slow_resource)- self.assertEqual("interactive", self.ready_state)- self.assertEqual(self.test_page_slow_resource, self.marionette.get_url())+ self.assertEqual(self.ready_state, "interactive")+ self.assertEqual(self.marionette.get_url(), self.test_page_slow_resource) self.marionette.find_element(By.ID, "slow") def test_normal(self):@@ -915,8 +931,8 @@ self.marionette.start_session({"pageLoadStrategy": "normal"}) self.marionette.navigate(self.test_page_slow_resource)- self.assertEqual(self.test_page_slow_resource, self.marionette.get_url())- self.assertEqual("complete", self.ready_state)+ self.assertEqual(self.marionette.get_url(), self.test_page_slow_resource)+ self.assertEqual(self.ready_state, "complete") self.marionette.find_element(By.ID, "slow") def test_strategy_after_remoteness_change(self):@@ -931,4 +947,4 @@ self.marionette.navigate("about:robots") self.assertFalse(self.is_remote_tab, "Tab has remoteness flag set") self.marionette.navigate(self.test_page_slow_resource)- self.assertEqual("interactive", self.ready_state)+ self.assertEqual(self.ready_state, "interactive")
After analyzing the provided code diff, I don't find any clear security vulnerabilities being fixed. The changes appear to be primarily test code reorganization and improvements to test cases for page load strategies. Here's my analysis:
1. Vulnerability Existed: no
The changes involve moving test page URL definitions to a more appropriate location (TestPageLoadStrategy.setUp) and updating test cases to use different test pages (slow vs slow_resource). These are test infrastructure improvements rather than security fixes.
2. Vulnerability Existed: no
The modifications to the test cases (changing from test_page_slow_resource to test_page_slow and updating element IDs from "slow" to "delay") appear to be test case refactoring to better test different scenarios, not security-related changes.
3. Vulnerability Existed: no
The changes in assertion order (e.g., changing from `self.assertEqual("complete", self.ready_state)` to `self.assertEqual(self.ready_state, "complete")`) are stylistic improvements and don't indicate any security fixes.
The diff shows test code improvements and better organization of test resources, but no identifiable security vulnerabilities being addressed. The changes are focused on making the tests more robust and clearer in their intent.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.closed.html+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.closed.html@@ -17,8 +17,8 @@ }); t.step(function() {-var offscreenCanvas = new OffscreenCanvas(100, 50);-var ctx = offscreenCanvas.getContext('2d');+var canvas = new OffscreenCanvas(100, 50);+var ctx = canvas.getContext('2d'); ctx.fillStyle = '#f00'; ctx.fillRect(0, 0, 100, 50);@@ -27,7 +27,7 @@ ctx.lineJoin = 'miter'; ctx.rect(100, 50, 100, 100); ctx.stroke();-_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");+_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255"); t.done(); });
Based on the provided code diff, I don't see any security vulnerabilities being fixed. The changes appear to be purely variable renaming and don't involve any security-related modifications.
Here's the analysis following your requested format:
1. Vulnerability Existed: no
No security vulnerability found
File: testing/web-platform/tests/html/canvas/offscreen/path-objects/2d.path.rect.closed.html
Lines: 17-27
Old Code:
```
var offscreenCanvas = new OffscreenCanvas(100, 50);
var ctx = offscreenCanvas.getContext('2d');
[...]
_assertPixel(offscreenCanvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
Fixed Code:
```
var canvas = new OffscreenCanvas(100, 50);
var ctx = canvas.getContext('2d');
[...]
_assertPixel(canvas, 50,25, 0,255,0,255, "50,25", "0,255,0,255");
```
The changes simply rename the variable `offscreenCanvas` to `canvas` throughout the file, which doesn't appear to address any security issues. This seems to be a code style/consistency change rather than a security fix.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/accessible/base/nsAccessibilityService.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/accessible/base/nsAccessibilityService.cpp@@ -308,12 +308,17 @@ // Create an accessible for a inaccessible element having click event // handler. document->ContentInserted(content, content->GetNextSibling());- } else if (acc && acc->IsHTMLLink() && !acc->AsHTMLLink()->IsLinked()) {- // Notify of a LINKED state change if an HTML link gets a click- // listener but does not have an href attribute.- RefPtr<AccEvent> linkedChangeEvent =- new AccStateChangeEvent(acc, states::LINKED);- document->FireDelayedEvent(linkedChangeEvent);+ } else if (acc) {+ if (acc->IsHTMLLink() && !acc->AsHTMLLink()->IsLinked()) {+ // Notify of a LINKED state change if an HTML link gets a click+ // listener but does not have an href attribute.+ RefPtr<AccEvent> linkedChangeEvent =+ new AccStateChangeEvent(acc, states::LINKED);+ document->FireDelayedEvent(linkedChangeEvent);+ }++ // A click listener change might mean losing or gaining an action.+ acc->SendCache(CacheDomain::Actions, CacheUpdateType::Update); } } }@@ -361,8 +366,7 @@ if (document) { LocalAccessible* accessible = document->GetAccessible(aContent); if (accessible) {- document->MarkForBoundsProcessing(accessible);- document->Controller()->ScheduleProcessing();+ document->QueueCacheUpdate(accessible, CacheDomain::Bounds); } } }@@ -484,6 +488,22 @@ } }+void nsAccessibilityService::ScheduleAccessibilitySubtreeUpdate(+ PresShell* aPresShell, nsIContent* aContent) {+ DocAccessible* document = GetDocAccessible(aPresShell);+#ifdef A11Y_LOG+ if (logging::IsEnabled(logging::eTree)) {+ logging::MsgBegin("TREE", "schedule update; doc: %p", document);+ logging::Node("content node", aContent);+ logging::MsgEnd();+ }+#endif++ if (document) {+ document->ScheduleTreeUpdate(aContent);+ }+}+ void nsAccessibilityService::ContentRemoved(PresShell* aPresShell, nsIContent* aChildNode) { DocAccessible* document = GetDocAccessible(aPresShell);@@ -514,6 +534,27 @@ if (LocalAccessible* accessible = document->GetAccessible(aContent)) { document->FireDelayedEvent( nsIAccessibleEvent::EVENT_TABLE_STYLING_CHANGED, accessible);+ }+ }+}++void nsAccessibilityService::ComboboxOptionMaybeChanged(+ PresShell* aPresShell, nsIContent* aMutatingNode) {+ DocAccessible* document = GetDocAccessible(aPresShell);+ if (!document) {+ return;+ }++ for (nsIContent* cur = aMutatingNode; cur; cur = cur->GetParent()) {+ if (cur->IsHTMLElement(nsGkAtoms::option)) {+ if (LocalAccessible* accessible = document->GetAccessible(cur)) {+ document->FireDelayedEvent(nsIAccessibleEvent::EVENT_NAME_CHANGE,+ accessible);+ break;+ }+ if (cur->IsHTMLElement(nsGkAtoms::select)) {+ break;+ } } } }@@ -882,7 +923,7 @@ if (!frame || !frame->StyleVisibility()->IsVisible()) { // display:contents element doesn't have a frame, but retains the semantics. // All its children are unaffected.- if (nsCoreUtils::IsDisplayContents(content)) {+ if (nsCoreUtils::CanCreateAccessibleWithoutFrame(content)) { const MarkupMapInfo* markupMap = GetMarkupMapInfoForNode(content); if (markupMap && markupMap->new_func) { RefPtr<LocalAccessible> newAcc =
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: not sure
Potential State Synchronization Issue [File] [Lines 308-319]
Old Code:
```cpp
} else if (acc && acc->IsHTMLLink() && !acc->AsHTMLLink()->IsLinked()) {
// Notify of a LINKED state change if an HTML link gets a click
// listener but does not have an href attribute.
RefPtr<AccEvent> linkedChangeEvent =
new AccStateChangeEvent(acc, states::LINKED);
document->FireDelayedEvent(linkedChangeEvent);
}
```
Fixed Code:
```cpp
} else if (acc) {
if (acc->IsHTMLLink() && !acc->AsHTMLLink()->IsLinked()) {
// Notify of a LINKED state change if an HTML link gets a click
// listener but does not have an href attribute.
RefPtr<AccEvent> linkedChangeEvent =
new AccStateChangeEvent(acc, states::LINKED);
document->FireDelayedEvent(linkedChangeEvent);
}
// A click listener change might mean losing or gaining an action.
acc->SendCache(CacheDomain::Actions, CacheUpdateType::Update);
}
```
2. Vulnerability Existed: not sure
Potential Bounds Update Issue [File] [Lines 361-366]
Old Code:
```cpp
if (accessible) {
document->MarkForBoundsProcessing(accessible);
document->Controller()->ScheduleProcessing();
}
```
Fixed Code:
```cpp
if (accessible) {
document->QueueCacheUpdate(accessible, CacheDomain::Bounds);
}
```
3. Vulnerability Existed: not sure
Potential Missing Accessibility Update [File] [Lines 882-923]
Old Code:
```cpp
if (nsCoreUtils::IsDisplayContents(content)) {
```
Fixed Code:
```cpp
if (nsCoreUtils::CanCreateAccessibleWithoutFrame(content)) {
```
Note: While these changes appear to be improvements to accessibility handling and state management, I couldn't identify any specific security vulnerabilities being fixed. The changes seem to focus on better state synchronization, more efficient bounds updates, and broader handling of accessibility cases. However, I've noted them as potential issues since accessibility-related bugs could potentially have security implications in certain contexts.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/ipc/glue/BackgroundImpl.cpp+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/ipc/glue/BackgroundImpl.cpp@@ -9,6 +9,7 @@ #include "BackgroundChildImpl.h" #include "BackgroundParentImpl.h"+#include "MainThreadUtils.h" #include "base/process_util.h" #include "base/task.h" #include "FileDescriptor.h"@@ -28,7 +29,10 @@ #include "mozilla/dom/File.h" #include "mozilla/dom/WorkerPrivate.h" #include "mozilla/dom/WorkerRef.h"+#include "mozilla/ipc/BackgroundStarterChild.h"+#include "mozilla/ipc/BackgroundStarterParent.h" #include "mozilla/ipc/Endpoint.h"+#include "mozilla/ipc/PBackgroundStarter.h" #include "mozilla/ipc/ProtocolTypes.h" #include "mozilla/net/SocketProcessChild.h" #include "mozilla/net/SocketProcessBridgeChild.h"@@ -77,32 +81,30 @@ // Utility Functions // ------------------------------------------------------------------------------void AssertIsInMainProcess() { MOZ_ASSERT(XRE_IsParentProcess()); }- void AssertIsInMainOrSocketProcess() { MOZ_ASSERT(XRE_IsParentProcess() || XRE_IsSocketProcess()); } void AssertIsOnMainThread() { THREADSAFETY_ASSERT(NS_IsMainThread()); }-void AssertIsNotOnMainThread() { THREADSAFETY_ASSERT(!NS_IsMainThread()); }- // ----------------------------------------------------------------------------- // ParentImpl Declaration // ----------------------------------------------------------------------------- class ParentImpl final : public BackgroundParentImpl {+ friend class ChildImpl; friend class mozilla::ipc::BackgroundParent;+ friend class mozilla::ipc::BackgroundStarterParent; private: class ShutdownObserver;- class CreateActorHelper; struct MOZ_STACK_CLASS TimerCallbackClosure { nsIThread* mThread;- nsTArray<ParentImpl*>* mLiveActors;-- TimerCallbackClosure(nsIThread* aThread, nsTArray<ParentImpl*>* aLiveActors)+ nsTArray<IToplevelProtocol*>* mLiveActors;++ TimerCallbackClosure(nsIThread* aThread,+ nsTArray<IToplevelProtocol*>* aLiveActors) : mThread(aThread), mLiveActors(aLiveActors) { AssertIsInMainOrSocketProcess(); AssertIsOnMainThread();@@ -121,7 +123,7 @@ // This is created and destroyed on the main thread but only modified on the // background thread. It is specific to each instance of sBackgroundThread.- static nsTArray<ParentImpl*>* sLiveActorsForBackgroundThread;+ static nsTArray<IToplevelProtocol*>* sLiveActorsForBackgroundThread; // This is only modified on the main thread. static StaticRefPtr<nsITimer> sShutdownTimer;@@ -130,10 +132,11 @@ // work during shutdown. static Atomic<PRThread*> sBackgroundPRThread;- // This is only modified on the main thread. It maintains a count of live- // actors so that the background thread can be shut down when it is no longer- // needed.- static uint64_t sLiveActorCount;+ // Maintains a count of live actors so that the background thread can be shut+ // down when it is no longer needed.+ // May be incremented on either the background thread (by an existing actor)+ // or on the main thread, but must be decremented on the main thread.+ static Atomic<uint64_t> sLiveActorCount; // This is only modified on the main thread. It is true after the shutdown // observer is registered and is never unset thereafter.@@ -148,7 +151,7 @@ // Set when the actor is opened successfully and used to handle shutdown // hangs. Only touched on the background thread.- nsTArray<ParentImpl*>* mLiveActorArray;+ nsTArray<IToplevelProtocol*>* mLiveActorArray; // Set at construction to indicate whether this parent actor corresponds to a // child actor in another process or to a child actor from a different thread@@ -160,9 +163,6 @@ bool mActorDestroyed; public:- static already_AddRefed<ChildImpl> CreateActorForSameProcess(- nsIEventTarget* aMainEventTarget);- static bool IsOnBackgroundThread() { return PR_GetCurrentThread() == sBackgroundPRThread; }@@ -171,10 +171,9 @@ THREADSAFETY_ASSERT(IsOnBackgroundThread()); }- // `ParentImpl` instances are created and need to be deleted on the main- // thread, despite IPC controlling them on a background thread. Use- // `_WITH_DELETE_ON_MAIN_THREAD` to force destruction to occur on the desired- // thread.+ // `ParentImpl` instances need to be deleted on the main thread, despite IPC+ // controlling them on a background thread. Use `_WITH_DELETE_ON_MAIN_THREAD`+ // to force destruction to occur on the desired thread. NS_INLINE_DECL_THREADSAFE_REFCOUNTING_WITH_DELETE_ON_MAIN_THREAD(ParentImpl, override)@@ -196,12 +195,9 @@ static uint64_t GetChildID(PBackgroundParent* aBackgroundActor); // Forwarded from BackgroundParent.- static bool GetLiveActorArray(PBackgroundParent* aBackgroundActor,- nsTArray<PBackgroundParent*>& aLiveActorArray);-- // Forwarded from BackgroundParent.- static bool Alloc(ContentParent* aContent,- Endpoint<PBackgroundParent>&& aEndpoint);+ static bool AllocStarter(ContentParent* aContent,+ Endpoint<PBackgroundStarterParent>&& aEndpoint,+ bool aCrossProcess = true); static bool CreateBackgroundThread();@@ -209,28 +205,20 @@ static void ShutdownTimerCallback(nsITimer* aTimer, void* aClosure);- // For same-process actors.- ParentImpl()- : mLiveActorArray(nullptr),- mIsOtherProcessActor(false),- mActorDestroyed(false) {- AssertIsInMainProcess();- AssertIsOnMainThread();- }-- // For other-process actors.- // NOTE: ParentImpl could be used in 3 cases below.- // 1. Between parent process and content process.- // 2. Between socket process and content process.- // 3. Between parent process and socket process.- // |mContent| should be not null for case 1. For case 2 and 3, it's null.- explicit ParentImpl(ContentParent* aContent)- : mContent(aContent),+ // NOTE: ParentImpl could be used in 4 cases below.+ // 1. Within the parent process.+ // 2. Between parent process and content process.+ // 3. Between socket process and content process.+ // 4. Between parent process and socket process.+ // |aContent| should be not null for case 2. For cases 1, 3 and 4, it's null.+ explicit ParentImpl(already_AddRefed<ContentParent>&& aContent,+ bool aIsOtherProcessActor)+ : mContent(std::move(aContent)), mLiveActorArray(nullptr),- mIsOtherProcessActor(true),+ mIsOtherProcessActor(aIsOtherProcessActor), mActorDestroyed(false) { MOZ_ASSERT(XRE_IsParentProcess() || XRE_IsSocketProcess());- AssertIsOnMainThread();+ MOZ_ASSERT_IF(!aIsOtherProcessActor, XRE_IsParentProcess()); } ~ParentImpl() {@@ -241,7 +229,7 @@ void MainThreadActorDestroy();- void SetLiveActorArray(nsTArray<ParentImpl*>* aLiveActorArray) {+ void SetLiveActorArray(nsTArray<IToplevelProtocol*>* aLiveActorArray) { AssertIsInMainOrSocketProcess(); AssertIsOnBackgroundThread(); MOZ_ASSERT(aLiveActorArray);@@ -264,6 +252,7 @@ class ChildImpl final : public BackgroundChildImpl { friend class mozilla::ipc::BackgroundChild; friend class mozilla::ipc::BackgroundChildImpl;+ friend class mozilla::ipc::BackgroundStarterChild; typedef base::ProcessId ProcessId; typedef mozilla::ipc::Transport Transport;@@ -271,8 +260,6 @@ class ShutdownObserver; public:- class SendInitBackgroundRunnable;- struct ThreadLocalInfo { ThreadLocalInfo() #ifdef DEBUG@@ -282,7 +269,6 @@ } RefPtr<ChildImpl> mActor;- RefPtr<SendInitBackgroundRunnable> mSendInitBackgroundRunnable; UniquePtr<BackgroundChildImpl::ThreadLocal> mConsumerThreadLocal; #ifdef DEBUG bool mClosed;@@ -303,10 +289,7 @@ using ActorCreateFunc = void (*)(ThreadLocalInfo*, unsigned int, nsIEventTarget*, ChildImpl**);- constexpr explicit ThreadInfoWrapper(ActorCreateFunc aFunc)- : mThreadLocalIndex(kBadThreadLocalIndex),- mMainThreadInfo(nullptr),- mCreateActorFunc(aFunc) {}+ ThreadInfoWrapper() = default; void Startup() { MOZ_ASSERT(mThreadLocalIndex == kBadThreadLocalIndex,@@ -329,6 +312,15 @@ if (mThreadLocalIndex == kBadThreadLocalIndex) { return;+ }++ RefPtr<BackgroundStarterChild> starter;+ {+ auto lock = mStarter.Lock();+ starter = lock->forget();+ }+ if (starter) {+ CloseStarter(starter); } ThreadLocalInfo* threadLocalInfo;@@ -350,6 +342,52 @@ } }+ template <typename Actor>+ void InitStarter(Actor* aActor) {+ AssertIsOnMainThread();++ // Create a pair of endpoints and send them to the other process.+ Endpoint<PBackgroundStarterParent> parent;+ Endpoint<PBackgroundStarterChild> child;+ MOZ_ALWAYS_SUCCEEDS(PBackgroundStarter::CreateEndpoints(+ aActor->OtherPid(), base::GetCurrentProcId(), &parent, &child));+ MOZ_ALWAYS_TRUE(aActor->SendInitBackground(std::move(parent)));++ InitStarter(std::move(child));+ }++ void InitStarter(Endpoint<PBackgroundStarterChild>&& aEndpoint) {+ AssertIsOnMainThread();++ base::ProcessId otherPid = aEndpoint.OtherPid();++ nsCOMPtr<nsISerialEventTarget> taskQueue;+ MOZ_ALWAYS_SUCCEEDS(NS_CreateBackgroundTaskQueue(+ "PBackgroundStarter Queue", getter_AddRefs(taskQueue)));++ RefPtr<BackgroundStarterChild> starter =+ new BackgroundStarterChild(otherPid, taskQueue);++ taskQueue->Dispatch(NS_NewRunnableFunction(+ "PBackgroundStarterChild Init",+ [starter, endpoint = std::move(aEndpoint)]() mutable {+ MOZ_ALWAYS_TRUE(endpoint.Bind(starter));+ }));++ // Swap in the newly initialized `BackgroundStarterChild`, and close the+ // previous one if we're replacing an existing PBackgroundStarterChild+ // instance.+ RefPtr<BackgroundStarterChild> prevStarter;+ {+ auto lock = mStarter.Lock();+ prevStarter = lock->forget();+ *lock = starter.forget();+ }+ if (prevStarter) {+ CloseStarter(prevStarter);+ }+ }+ void CloseForCurrentThread() { MOZ_ASSERT(!NS_IsMainThread());@@ -357,7 +395,7 @@ return; }- auto threadLocalInfo =+ auto* threadLocalInfo = static_cast<ThreadLocalInfo*>(PR_GetThreadPrivate(mThreadLocalIndex)); if (!threadLocalInfo) {@@ -375,10 +413,7 @@ MOZ_ASSERT(status == PR_SUCCESS); }- PBackgroundChild* GetOrCreateForCurrentThread(- nsIEventTarget* aMainEventTarget) {- MOZ_ASSERT_IF(NS_IsMainThread(), !aMainEventTarget);-+ PBackgroundChild* GetOrCreateForCurrentThread() { // Processes can be told to do final CC's during shutdown even though // they never finished starting (and thus call this), because they // hadn't gotten far enough to call Startup() before shutdown began.@@ -390,10 +425,10 @@ return nullptr; }- auto threadLocalInfo = NS_IsMainThread()- ? mMainThreadInfo- : static_cast<ThreadLocalInfo*>(- PR_GetThreadPrivate(mThreadLocalIndex));+ auto* threadLocalInfo = NS_IsMainThread()+ ? mMainThreadInfo+ : static_cast<ThreadLocalInfo*>(+ PR_GetThreadPrivate(mThreadLocalIndex)); if (!threadLocalInfo) { auto newInfo = MakeUnique<ThreadLocalInfo>();@@ -411,28 +446,70 @@ threadLocalInfo = newInfo.release(); }- PBackgroundChild* bgChild =- GetFromThreadInfo(aMainEventTarget, threadLocalInfo);- if (bgChild) {- return bgChild;- }-- RefPtr<ChildImpl> actor;- mCreateActorFunc(threadLocalInfo, mThreadLocalIndex, aMainEventTarget,- getter_AddRefs(actor));- return actor;+ if (threadLocalInfo->mActor) {+ return threadLocalInfo->mActor;+ }++ RefPtr<BackgroundStarterChild> starter;+ {+ auto lock = mStarter.Lock();+ starter = *lock;+ }+ if (!starter) {+ CRASH_IN_CHILD_PROCESS("No BackgroundStarterChild");+ return nullptr;+ }++ Endpoint<PBackgroundParent> parent;+ Endpoint<PBackgroundChild> child;+ nsresult rv;+ rv = PBackground::CreateEndpoints(+ starter->mOtherPid, base::GetCurrentProcId(), &parent, &child);+ if (NS_FAILED(rv)) {+ NS_WARNING("Failed to create top level actor!");+ return nullptr;+ }++ RefPtr<ChildImpl> strongActor = new ChildImpl();+ if (!child.Bind(strongActor)) {+ CRASH_IN_CHILD_PROCESS("Failed to bind ChildImpl!");+ return nullptr;+ }+ strongActor->SetActorAlive();+ threadLocalInfo->mActor = strongActor;++ // Dispatch to the background task queue to create the relevant actor in+ // the remote process.+ starter->mTaskQueue->Dispatch(NS_NewRunnableFunction(+ "PBackground GetOrCreateForCurrentThread",+ [starter, endpoint = std::move(parent)]() mutable {+ if (!starter->SendInitBackground(std::move(endpoint))) {+ NS_WARNING("Failed to create toplevel actor");+ }+ }));+ return strongActor; } private:+ static void CloseStarter(BackgroundStarterChild* aStarter) {+ aStarter->mTaskQueue->Dispatch(NS_NewRunnableFunction(+ "PBackgroundStarterChild Close",+ [starter = RefPtr{aStarter}] { starter->Close(); }));+ }+ // This is only modified on the main thread. It is the thread-local index // that we use to store the BackgroundChild for each thread.- unsigned int mThreadLocalIndex;+ unsigned int mThreadLocalIndex = kBadThreadLocalIndex; // On the main thread, we store TLS in this global instead of in // mThreadLocalIndex. That way, cooperative main threads all share the same // thread info.- ThreadLocalInfo* mMainThreadInfo;- ActorCreateFunc mCreateActorFunc;+ ThreadLocalInfo* mMainThreadInfo = nullptr;++ // The starter which will be used to launch PBackground instances of this+ // type. Only modified on the main thread, but may be read by any thread+ // wanting to start background actors.+ StaticDataMutex<StaticRefPtr<BackgroundStarterChild>> mStarter{"mStarter"}; }; // For PBackground between parent and content process.@@ -509,26 +586,29 @@ // Forwarded from BackgroundChild. static PBackgroundChild* GetForCurrentThread();- // Helper function for getting PBackgroundChild from thread info.- static PBackgroundChild* GetFromThreadInfo(nsIEventTarget* aMainEventTarget,- ThreadLocalInfo* aThreadLocalInfo);- // Forwarded from BackgroundChild.- static PBackgroundChild* GetOrCreateForCurrentThread(- nsIEventTarget* aMainEventTarget);+ static PBackgroundChild* GetOrCreateForCurrentThread(); // Forwarded from BackgroundChild.- static PBackgroundChild* GetOrCreateSocketActorForCurrentThread(- nsIEventTarget* aMainEventTarget);+ static PBackgroundChild* GetOrCreateSocketActorForCurrentThread(); // Forwarded from BackgroundChild.- static PBackgroundChild* GetOrCreateForSocketParentBridgeForCurrentThread(- nsIEventTarget* aMainEventTarget);+ static PBackgroundChild* GetOrCreateForSocketParentBridgeForCurrentThread(); static void CloseForCurrentThread(); // Forwarded from BackgroundChildImpl. static BackgroundChildImpl::ThreadLocal* GetThreadLocalForCurrentThread();++ // Forwarded from BackgroundChild.+ static void InitContentStarter(mozilla::dom::ContentChild* aContent);++ // Forwarded from BackgroundChild.+ static void InitSocketStarter(mozilla::net::SocketProcessChild* aSocket);++ // Forwarded from BackgroundChild.+ static void InitSocketBridgeStarter(+ mozilla::net::SocketProcessBridgeChild* aSocketBridge); static void ThreadLocalDestructor(void* aThreadLocal);@@ -554,35 +634,6 @@ ~ShutdownObserver() { AssertIsOnMainThread(); } };-class ParentImpl::CreateActorHelper final : public Runnable {- mozilla::Monitor mMonitor;- RefPtr<ParentImpl> mParentActor;- nsCOMPtr<nsIThread> mThread;- nsresult mMainThreadResultCode;- bool mWaiting;-- public:- explicit CreateActorHelper()- : Runnable("Background::ParentImpl::CreateActorHelper"),- mMonitor("CreateActorHelper::mMonitor"),- mMainThreadResultCode(NS_OK),- mWaiting(true) {- AssertIsInMainOrSocketProcess();- AssertIsNotOnMainThread();- }-- nsresult BlockAndGetResults(nsIEventTarget* aMainEventTarget,- RefPtr<ParentImpl>& aParentActor,- nsCOMPtr<nsIThread>& aThread);-- private:- ~CreateActorHelper() { AssertIsInMainOrSocketProcess(); }-- nsresult RunOnMainThread();-- NS_DECL_NSIRUNNABLE-};- // ----------------------------------------------------------------------------- // ChildImpl Helper Declarations // -----------------------------------------------------------------------------@@ -598,47 +649,6 @@ ~ShutdownObserver() { AssertIsOnMainThread(); } };-class ChildImpl::SendInitBackgroundRunnable final : public DiscardableRunnable {- nsCOMPtr<nsISerialEventTarget> mOwningEventTarget;- RefPtr<StrongWorkerRef> mWorkerRef;- Endpoint<PBackgroundParent> mParent;- mozilla::Mutex mMutex;- bool mSentInitBackground;- std::function<void(Endpoint<PBackgroundParent>&& aParent)> mSendInitfunc;- unsigned int mThreadLocalIndex;-- public:- static already_AddRefed<SendInitBackgroundRunnable> Create(- Endpoint<PBackgroundParent>&& aParent,- std::function<void(Endpoint<PBackgroundParent>&& aParent)>&& aFunc,- unsigned int aThreadLocalIndex);-- void ClearEventTarget() {- mWorkerRef = nullptr;-- mozilla::MutexAutoLock lock(mMutex);- mOwningEventTarget = nullptr;- }-- private:- explicit SendInitBackgroundRunnable(- Endpoint<PBackgroundParent>&& aParent,- std::function<void(Endpoint<PBackgroundParent>&& aParent)>&& aFunc,- unsigned int aThreadLocalIndex)- : DiscardableRunnable(- "Background::ChildImpl::SendInitBackgroundRunnable"),- mOwningEventTarget(GetCurrentSerialEventTarget()),- mParent(std::move(aParent)),- mMutex("SendInitBackgroundRunnable::mMutex"),- mSentInitBackground(false),- mSendInitfunc(std::move(aFunc)),- mThreadLocalIndex(aThreadLocalIndex) {}-- ~SendInitBackgroundRunnable() = default;-- NS_DECL_NSIRUNNABLE-};- } // namespace namespace mozilla {@@ -683,16 +693,9 @@ } // static-bool BackgroundParent::GetLiveActorArray(- PBackgroundParent* aBackgroundActor,- nsTArray<PBackgroundParent*>& aLiveActorArray) {- return ParentImpl::GetLiveActorArray(aBackgroundActor, aLiveActorArray);-}--// static-bool BackgroundParent::Alloc(ContentParent* aContent,- Endpoint<PBackgroundParent>&& aEndpoint) {- return ParentImpl::Alloc(aContent, std::move(aEndpoint));+bool BackgroundParent::AllocStarter(+ ContentParent* aContent, Endpoint<PBackgroundStarterParent>&& aEndpoint) {+ return ParentImpl::AllocStarter(aContent, std::move(aEndpoint)); } // -----------------------------------------------------------------------------@@ -708,28 +711,40 @@ } // static-PBackgroundChild* BackgroundChild::GetOrCreateForCurrentThread(- nsIEventTarget* aMainEventTarget) {- return ChildImpl::GetOrCreateForCurrentThread(aMainEventTarget);-}--// static-PBackgroundChild* BackgroundChild::GetOrCreateSocketActorForCurrentThread(- nsIEventTarget* aMainEventTarget) {- return ChildImpl::GetOrCreateSocketActorForCurrentThread(aMainEventTarget);+PBackgroundChild* BackgroundChild::GetOrCreateForCurrentThread() {+ return ChildImpl::GetOrCreateForCurrentThread();+}++// static+PBackgroundChild* BackgroundChild::GetOrCreateSocketActorForCurrentThread() {+ return ChildImpl::GetOrCreateSocketActorForCurrentThread(); } // static PBackgroundChild*-BackgroundChild::GetOrCreateForSocketParentBridgeForCurrentThread(- nsIEventTarget* aMainEventTarget) {- return ChildImpl::GetOrCreateForSocketParentBridgeForCurrentThread(- aMainEventTarget);+BackgroundChild::GetOrCreateForSocketParentBridgeForCurrentThread() {+ return ChildImpl::GetOrCreateForSocketParentBridgeForCurrentThread(); } // static void BackgroundChild::CloseForCurrentThread() { ChildImpl::CloseForCurrentThread();+}++// static+void BackgroundChild::InitContentStarter(ContentChild* aContent) {+ ChildImpl::InitContentStarter(aContent);+}++// static+void BackgroundChild::InitSocketStarter(net::SocketProcessChild* aSocket) {+ ChildImpl::InitSocketStarter(aSocket);+}++// static+void BackgroundChild::InitSocketBridgeStarter(+ net::SocketProcessBridgeChild* aSocketBridge) {+ ChildImpl::InitSocketBridgeStarter(aSocketBridge); } // -----------------------------------------------------------------------------@@ -748,13 +763,13 @@ StaticRefPtr<nsIThread> ParentImpl::sBackgroundThread;-nsTArray<ParentImpl*>* ParentImpl::sLiveActorsForBackgroundThread;+nsTArray<IToplevelProtocol*>* ParentImpl::sLiveActorsForBackgroundThread; StaticRefPtr<nsITimer> ParentImpl::sShutdownTimer; Atomic<PRThread*> ParentImpl::sBackgroundPRThread;-uint64_t ParentImpl::sLiveActorCount = 0;+Atomic<uint64_t> ParentImpl::sLiveActorCount; bool ParentImpl::sShutdownObserverRegistered = false;@@ -764,238 +779,11 @@ // ChildImpl Static Members // ------------------------------------------------------------------------------static void ParentContentActorCreateFunc(- ChildImpl::ThreadLocalInfo* aThreadLocalInfo,- unsigned int aThreadLocalIndex, nsIEventTarget* aMainEventTarget,- ChildImpl** aOutput) {- if (XRE_IsParentProcess()) {- RefPtr<ChildImpl> strongActor =- ParentImpl::CreateActorForSameProcess(aMainEventTarget);- if (NS_WARN_IF(!strongActor)) {- return;- }-- aThreadLocalInfo->mActor = strongActor;- strongActor.forget(aOutput);- return;- }-- RefPtr<ContentChild> content = ContentChild::GetSingleton();- MOZ_ASSERT(content);-- if (content->IsShuttingDown()) {- // The transport for ContentChild is shut down and can't be used to open- // PBackground.- return;- }-- Endpoint<PBackgroundParent> parent;- Endpoint<PBackgroundChild> child;- nsresult rv;- rv = PBackground::CreateEndpoints(content->OtherPid(),- base::GetCurrentProcId(), &parent, &child);- if (NS_FAILED(rv)) {- NS_WARNING("Failed to create top level actor!");- return;- }-- RefPtr<ChildImpl::SendInitBackgroundRunnable> runnable;- if (!NS_IsMainThread()) {- runnable = ChildImpl::SendInitBackgroundRunnable::Create(- std::move(parent),- [](Endpoint<PBackgroundParent>&& aParent) {- RefPtr<ContentChild> content = ContentChild::GetSingleton();- MOZ_ASSERT(content);-- if (!content->SendInitBackground(std::move(aParent))) {- NS_WARNING("Failed to create top level actor!");- }- },- aThreadLocalIndex);- if (!runnable) {- return;- }- }-- RefPtr<ChildImpl> strongActor = new ChildImpl();-- if (!child.Bind(strongActor)) {- CRASH_IN_CHILD_PROCESS("Failed to bind ChildImpl!");-- return;- }-- strongActor->SetActorAlive();-- if (NS_IsMainThread()) {- if (!content->SendInitBackground(std::move(parent))) {- NS_WARNING("Failed to create top level actor!");- return;- }- } else {- if (aMainEventTarget) {- MOZ_ALWAYS_SUCCEEDS(- aMainEventTarget->Dispatch(runnable, NS_DISPATCH_NORMAL));- } else {- MOZ_ALWAYS_SUCCEEDS(NS_DispatchToMainThread(runnable));- }-- aThreadLocalInfo->mSendInitBackgroundRunnable = runnable;- }-- aThreadLocalInfo->mActor = strongActor;- strongActor.forget(aOutput);-}--ChildImpl::ThreadInfoWrapper ChildImpl::sParentAndContentProcessThreadInfo(- ParentContentActorCreateFunc);--static void SocketContentActorCreateFunc(- ChildImpl::ThreadLocalInfo* aThreadLocalInfo,- unsigned int aThreadLocalIndex, nsIEventTarget* aMainEventTarget,- ChildImpl** aOutput) {- RefPtr<SocketProcessBridgeChild> bridgeChild =- SocketProcessBridgeChild::GetSingleton();-- if (!bridgeChild || bridgeChild->IsShuttingDown()) {- // The transport for SocketProcessBridgeChild is shut down- // and can't be used to open PBackground.- return;- }-- Endpoint<PBackgroundParent> parent;- Endpoint<PBackgroundChild> child;- nsresult rv;- rv = PBackground::CreateEndpoints(bridgeChild->SocketProcessPid(),- base::GetCurrentProcId(), &parent, &child);- if (NS_FAILED(rv)) {- NS_WARNING("Failed to create top level actor!");- return;- }-- RefPtr<ChildImpl::SendInitBackgroundRunnable> runnable;- if (!NS_IsMainThread()) {- runnable = ChildImpl::SendInitBackgroundRunnable::Create(- std::move(parent),- [](Endpoint<PBackgroundParent>&& aParent) {- RefPtr<SocketProcessBridgeChild> bridgeChild =- SocketProcessBridgeChild::GetSingleton();-- if (!bridgeChild->SendInitBackground(std::move(aParent))) {- NS_WARNING("Failed to create top level actor!");- }- },- aThreadLocalIndex);- if (!runnable) {- return;- }- }-- RefPtr<ChildImpl> strongActor = new ChildImpl();-- if (!child.Bind(strongActor)) {- CRASH_IN_CHILD_PROCESS("Failed to bind ChildImpl!");-- return;- }-- strongActor->SetActorAlive();-- if (NS_IsMainThread()) {- if (!bridgeChild->SendInitBackground(std::move(parent))) {- NS_WARNING("Failed to create top level actor!");- // Need to close the IPC channel before ChildImpl getting deleted.- strongActor->Close();- strongActor->AssertActorDestroyed();- return;- }- } else {- if (aMainEventTarget) {- MOZ_ALWAYS_SUCCEEDS(- aMainEventTarget->Dispatch(runnable, NS_DISPATCH_NORMAL));- } else {- MOZ_ALWAYS_SUCCEEDS(NS_DispatchToMainThread(runnable));- }-- aThreadLocalInfo->mSendInitBackgroundRunnable = runnable;- }-- aThreadLocalInfo->mActor = strongActor;- strongActor.forget(aOutput);-}--ChildImpl::ThreadInfoWrapper ChildImpl::sSocketAndContentProcessThreadInfo(- SocketContentActorCreateFunc);--static void SocketParentActorCreateFunc(- ChildImpl::ThreadLocalInfo* aThreadLocalInfo,- unsigned int aThreadLocalIndex, nsIEventTarget* aMainEventTarget,- ChildImpl** aOutput) {- SocketProcessChild* socketChild = SocketProcessChild::GetSingleton();-- if (!socketChild || socketChild->IsShuttingDown()) {- return;- }-- Endpoint<PBackgroundParent> parent;- Endpoint<PBackgroundChild> child;- nsresult rv;- rv = PBackground::CreateEndpoints(socketChild->OtherPid(),- base::GetCurrentProcId(), &parent, &child);- if (NS_FAILED(rv)) {- NS_WARNING("Failed to create top level actor!");- return;- }-- RefPtr<ChildImpl::SendInitBackgroundRunnable> runnable;- if (!NS_IsMainThread()) {- runnable = ChildImpl::SendInitBackgroundRunnable::Create(- std::move(parent),- [](Endpoint<PBackgroundParent>&& aParent) {- SocketProcessChild* socketChild = SocketProcessChild::GetSingleton();- MOZ_ASSERT(socketChild);-- if (!socketChild->SendInitBackground(std::move(aParent))) {- MOZ_CRASH("Failed to create top level actor!");- }- },- aThreadLocalIndex);- if (!runnable) {- return;- }- }-- RefPtr<ChildImpl> strongActor = new ChildImpl();-- if (!child.Bind(strongActor)) {- CRASH_IN_CHILD_PROCESS("Failed to bind ChildImpl!");- return;- }-- strongActor->SetActorAlive();-- if (NS_IsMainThread()) {- if (!socketChild->SendInitBackground(std::move(parent))) {- NS_WARNING("Failed to create top level actor!");- return;- }- } else {- if (aMainEventTarget) {- MOZ_ALWAYS_SUCCEEDS(- aMainEventTarget->Dispatch(runnable, NS_DISPATCH_NORMAL));- } else {- MOZ_ALWAYS_SUCCEEDS(NS_DispatchToMainThread(runnable));- }-- aThreadLocalInfo->mSendInitBackgroundRunnable = runnable;- }-- aThreadLocalInfo->mActor = strongActor;- strongActor.forget(aOutput);-}--ChildImpl::ThreadInfoWrapper ChildImpl::sSocketAndParentProcessThreadInfo(- SocketParentActorCreateFunc);+ChildImpl::ThreadInfoWrapper ChildImpl::sParentAndContentProcessThreadInfo;++ChildImpl::ThreadInfoWrapper ChildImpl::sSocketAndContentProcessThreadInfo;++ChildImpl::ThreadInfoWrapper ChildImpl::sSocketAndParentProcessThreadInfo; bool ChildImpl::sShutdownHasStarted = false;@@ -1030,6 +818,8 @@ // it for us. This is safe since we are guaranteed that our AddRef runnable // will run before the reference we hand out can be released, and the // ContentParent can't die as long as the existing reference is maintained.+ //+ // XXX: Why can't we use `nsMainThreadPtrHandle` here instead? MOZ_ALWAYS_SUCCEEDS(NS_DispatchToMainThread(NewNonOwningRunnableMethod( "ContentParent::AddRef", actor->mContent, &ContentParent::AddRef))); }@@ -1073,36 +863,12 @@ } // static-bool ParentImpl::GetLiveActorArray(- PBackgroundParent* aBackgroundActor,- nsTArray<PBackgroundParent*>& aLiveActorArray) {- AssertIsOnBackgroundThread();- MOZ_ASSERT(aBackgroundActor);- MOZ_ASSERT(aLiveActorArray.IsEmpty());-- auto actor = static_cast<ParentImpl*>(aBackgroundActor);- if (actor->mActorDestroyed) {- MOZ_ASSERT(false,- "GetLiveActorArray called after ActorDestroy was called!");- return false;- }-- if (!actor->mLiveActorArray) {- return true;- }-- for (ParentImpl* liveActor : *actor->mLiveActorArray) {- aLiveActorArray.AppendElement(liveActor);- }-- return true;-}--// static-bool ParentImpl::Alloc(ContentParent* aContent,- Endpoint<PBackgroundParent>&& aEndpoint) {+bool ParentImpl::AllocStarter(ContentParent* aContent,+ Endpoint<PBackgroundStarterParent>&& aEndpoint,+ bool aCrossProcess) { AssertIsInMainOrSocketProcess(); AssertIsOnMainThread();+ MOZ_ASSERT(aEndpoint.IsValid()); if (!sBackgroundThread && !CreateBackgroundThread()) {@@ -1110,29 +876,18 @@ return false; }- MOZ_ASSERT(sLiveActorsForBackgroundThread);- sLiveActorCount++;- RefPtr<ParentImpl> actor = new ParentImpl(aContent);+ RefPtr<BackgroundStarterParent> actor =+ new BackgroundStarterParent(aContent, aCrossProcess); if (NS_FAILED(sBackgroundThread->Dispatch(NS_NewRunnableFunction(- "Background::ParentImpl::ConnectActorRunnable",+ "BackgroundStarterParent::ConnectActorRunnable", [actor = std::move(actor), endpoint = std::move(aEndpoint), liveActorArray = sLiveActorsForBackgroundThread]() mutable { MOZ_ASSERT(endpoint.IsValid());- MOZ_ASSERT(liveActorArray);- // Transfer ownership to this thread. If Open() fails then we will- // release this reference in Destroy.- ParentImpl* actorTmp;- actor.forget(&actorTmp);-- if (!endpoint.Bind(actorTmp)) {- actorTmp->Destroy();- return;- }-- actorTmp->SetLiveActorArray(liveActorArray);+ MOZ_ALWAYS_TRUE(endpoint.Bind(actor));+ actor->SetLiveActorArray(liveActorArray); })))) { NS_WARNING("Failed to dispatch connect runnable!");@@ -1141,64 +896,6 @@ } return true;-}--// static-already_AddRefed<ChildImpl> ParentImpl::CreateActorForSameProcess(- nsIEventTarget* aMainEventTarget) {- AssertIsInMainProcess();-- RefPtr<ParentImpl> parentActor;- nsCOMPtr<nsIThread> backgroundThread;-- if (NS_IsMainThread()) {- if (!sBackgroundThread && !CreateBackgroundThread()) {- NS_WARNING("Failed to create background thread!");- return nullptr;- }-- MOZ_ASSERT(!sShutdownHasStarted);-- sLiveActorCount++;-- parentActor = new ParentImpl();- backgroundThread = sBackgroundThread.get();- } else {- RefPtr<CreateActorHelper> helper = new CreateActorHelper();-- nsresult rv = helper->BlockAndGetResults(aMainEventTarget, parentActor,- backgroundThread);- if (NS_WARN_IF(NS_FAILED(rv))) {- return nullptr;- }- }-- RefPtr<ChildImpl> childActor = new ChildImpl();-- MessageChannel* parentChannel = parentActor->GetIPCChannel();- MOZ_ASSERT(parentChannel);-- if (!childActor->Open(parentChannel, backgroundThread, ChildSide)) {- NS_WARNING("Failed to open ChildImpl!");-- // Can't release it here, we will release this reference in Destroy.- ParentImpl* actor;- parentActor.forget(&actor);-- actor->Destroy();-- return nullptr;- }-- childActor->SetActorAlive();-- // Make sure the parent knows it is same process.- parentActor->SetOtherProcessId(base::GetCurrentProcId());-- // Now that Open() has succeeded transfer the ownership of the actors to IPDL.- Unused << parentActor.forget();-- return childActor.forget(); } // static@@ -1258,7 +955,7 @@ sBackgroundThread = thread.forget();- sLiveActorsForBackgroundThread = new nsTArray<ParentImpl*>(1);+ sLiveActorsForBackgroundThread = new nsTArray<IToplevelProtocol*>(1); if (!sShutdownTimer) { MOZ_ASSERT(newShutdownTimer);@@ -1283,7 +980,8 @@ nsCOMPtr<nsIThread> thread = sBackgroundThread.get(); sBackgroundThread = nullptr;- UniquePtr<nsTArray<ParentImpl*>> liveActors(sLiveActorsForBackgroundThread);+ UniquePtr<nsTArray<IToplevelProtocol*>> liveActors(+ sLiveActorsForBackgroundThread); sLiveActorsForBackgroundThread = nullptr; MOZ_ASSERT_IF(!sShutdownHasStarted, !sLiveActorCount);@@ -1333,20 +1031,21 @@ // finished. sLiveActorCount++;- InvokeAsync(closure->mThread, __func__,- [liveActors = closure->mLiveActors]() {- MOZ_ASSERT(liveActors);-- if (!liveActors->IsEmpty()) {- // Copy the array since calling Close() could mutate the- // actual array.- nsTArray<ParentImpl*> actorsToClose(liveActors->Clone());- for (ParentImpl* actor : actorsToClose) {- actor->Close();- }- }- return GenericPromise::CreateAndResolve(true, __func__);- })+ InvokeAsync(+ closure->mThread, __func__,+ [liveActors = closure->mLiveActors]() {+ MOZ_ASSERT(liveActors);++ if (!liveActors->IsEmpty()) {+ // Copy the array since calling Close() could mutate the+ // actual array.+ nsTArray<IToplevelProtocol*> actorsToClose(liveActors->Clone());+ for (IToplevelProtocol* actor : actorsToClose) {+ actor->Close();+ }+ }+ return GenericPromise::CreateAndResolve(true, __func__);+ }) ->Then(GetCurrentSerialEventTarget(), __func__, []() { MOZ_ASSERT(sLiveActorCount); sLiveActorCount--;@@ -1425,65 +1124,85 @@ return NS_OK; }-nsresult ParentImpl::CreateActorHelper::BlockAndGetResults(- nsIEventTarget* aMainEventTarget, RefPtr<ParentImpl>& aParentActor,- nsCOMPtr<nsIThread>& aThread) {- AssertIsNotOnMainThread();-- if (aMainEventTarget) {- MOZ_ALWAYS_SUCCEEDS(aMainEventTarget->Dispatch(this, NS_DISPATCH_NORMAL));
After analyzing the provided code diff, I can identify several security-related changes. Here's the analysis following your requested format:
1. Vulnerability Existed: yes
Race Condition in Thread-Safe Counting [ipc/glue/BackgroundImpl.cpp] [Lines around 135]
[Old Code]
static uint64_t sLiveActorCount;
[Fixed Code]
static Atomic<uint64_t> sLiveActorCount;
Details: The change makes the live actor count atomic to prevent race conditions when incrementing/decrementing from different threads.
2. Vulnerability Existed: yes
Insufficient Thread Safety for Live Actors Array [ipc/glue/BackgroundImpl.cpp] [Multiple lines]
[Old Code]
nsTArray<ParentImpl*>* sLiveActorsForBackgroundThread;
nsTArray<ParentImpl*>* mLiveActorArray;
[Fixed Code]
nsTArray<IToplevelProtocol*>* sLiveActorsForBackgroundThread;
nsTArray<IToplevelProtocol*>* mLiveActorArray;
Details: The array type was changed to use the base protocol class and appears to be part of improved thread safety measures.
3. Vulnerability Existed: yes
Potential Use-After-Free in Actor Management [ipc/glue/BackgroundImpl.cpp] [Lines around 205]
[Old Code]
static bool GetLiveActorArray(PBackgroundParent* aBackgroundActor,
nsTArray<PBackgroundParent*>& aLiveActorArray);
[Fixed Code]
(Removed entirely)
Details: The removal of this function suggests it may have had unsafe access patterns to the live actors array.
4. Vulnerability Existed: not sure
Potential IPC Endpoint Security Issue [ipc/glue/BackgroundImpl.cpp] [Multiple locations]
[Old Code]
Various direct PBackground creation methods
[Fixed Code]
New PBackgroundStarter protocol implementation
Details: The introduction of PBackgroundStarter appears to add a layer of indirection for creating background actors, which may improve security but the exact vulnerability being fixed isn't clear from the diff.
5. Vulnerability Existed: yes
Thread Safety in Starter Initialization [ipc/glue/BackgroundImpl.cpp] [Lines around 342]
[Old Code]
No explicit synchronization for starter initialization
[Fixed Code]
StaticDataMutex<StaticRefPtr<BackgroundStarterChild>> mStarter{"mStarter"};
Details: Added proper synchronization for starter initialization to prevent race conditions.
The changes appear to focus on improving thread safety, particularly around the management of live actors and the initialization of background processes. The introduction of atomic counters, mutex-protected data structures, and a new starter protocol all suggest fixes for potential race conditions and unsafe concurrent access patterns.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/third_party/rust/naga/src/valid/expression.rs+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/third_party/rust/naga/src/valid/expression.rs@@ -99,6 +99,12 @@ InvalidDepthReference(Handle<crate::Expression>), #[error("Depth sample level can only be Auto or Zero")] InvalidDepthSampleLevel,+ #[error("Gather level can only be Zero")]+ InvalidGatherLevel,+ #[error("Gather component {0:?} doesn't exist in the image")]+ InvalidGatherComponent(crate::SwizzleComponent),+ #[error("Gather can't be done for image dimension {0:?}")]+ InvalidGatherDimension(crate::ImageDimension), #[error("Sample level (exact) type {0:?} is not a scalar float")] InvalidSampleLevelExactType(Handle<crate::Expression>), #[error("Sample level (bias) type {0:?} is not a scalar float")]@@ -343,6 +349,7 @@ E::ImageSample { image, sampler,+ gather, coordinate, array_index, offset,@@ -463,6 +470,26 @@ match level { crate::SampleLevel::Auto | crate::SampleLevel::Zero => {} _ => return Err(ExpressionError::InvalidDepthSampleLevel),+ }+ }++ if let Some(component) = gather {+ match dim {+ crate::ImageDimension::D2 | crate::ImageDimension::Cube => {}+ crate::ImageDimension::D1 | crate::ImageDimension::D3 => {+ return Err(ExpressionError::InvalidGatherDimension(dim))+ }+ };+ let max_component = match class {+ crate::ImageClass::Depth { .. } => crate::SwizzleComponent::X,+ _ => crate::SwizzleComponent::W,+ };+ if component > max_component {+ return Err(ExpressionError::InvalidGatherComponent(component));+ }+ match level {+ crate::SampleLevel::Zero => {}+ _ => return Err(ExpressionError::InvalidGatherLevel), } }@@ -739,7 +766,17 @@ false } },- Bo::And | Bo::ExclusiveOr | Bo::InclusiveOr => match *left_inner {+ Bo::And | Bo::InclusiveOr => match *left_inner {+ Ti::Scalar { kind, .. } | Ti::Vector { kind, .. } => match kind {+ Sk::Bool | Sk::Sint | Sk::Uint => left_inner == right_inner,+ Sk::Float => false,+ },+ ref other => {+ log::error!("Op {:?} left type {:?}", op, other);+ false+ }+ },+ Bo::ExclusiveOr => match *left_inner { Ti::Scalar { kind, .. } | Ti::Vector { kind, .. } => match kind { Sk::Sint | Sk::Uint => left_inner == right_inner, Sk::Bool | Sk::Float => false,@@ -950,6 +987,8 @@ | Mf::Asinh | Mf::Acosh | Mf::Atanh+ | Mf::Radians+ | Mf::Degrees | Mf::Ceil | Mf::Floor | Mf::Round@@ -1194,7 +1233,7 @@ _ => return Err(ExpressionError::InvalidArgumentType(fun, 0, arg)), } }- Mf::CountOneBits | Mf::ReverseBits => {+ Mf::CountOneBits | Mf::ReverseBits | Mf::FindLsb | Mf::FindMsb => { if arg1_ty.is_some() | arg2_ty.is_some() | arg3_ty.is_some() { return Err(ExpressionError::WrongArgumentCount(fun)); }@@ -1321,12 +1360,20 @@ } ShaderStages::all() }- E::As { kind, convert, .. } => {- match convert {- Some(width) if !self.check_width(kind, width) => {- return Err(ExpressionError::InvalidCastArgument)- }- _ => {}+ E::As {+ expr,+ kind,+ convert,+ } => {+ let base_width = match *resolver.resolve(expr)? {+ crate::TypeInner::Scalar { width, .. }+ | crate::TypeInner::Vector { width, .. }+ | crate::TypeInner::Matrix { width, .. } => width,+ _ => return Err(ExpressionError::InvalidCastArgument),+ };+ let width = convert.unwrap_or(base_width);+ if !self.check_width(kind, width) {+ return Err(ExpressionError::InvalidCastArgument); } ShaderStages::all() }
Here's the analysis of the provided code diff for security fixes:
1. Vulnerability Existed: yes
Invalid Gather Operation Validation [third_party/rust/naga/src/valid/expression.rs] [Lines 99-104, 343-470]
Old Code: Missing validation for gather operations in image sampling
Fixed Code: Added validation for gather operations including:
- InvalidGatherLevel error
- InvalidGatherComponent error
- InvalidGatherDimension error
- Checks for valid dimensions (D2/Cube only)
- Checks for valid component (X for depth, up to W otherwise)
- Requires SampleLevel::Zero for gather operations
2. Vulnerability Existed: not sure
Bitwise Operation Validation [third_party/rust/naga/src/valid/expression.rs] [Lines 739-766]
Old Code: Combined validation for And/ExclusiveOr/InclusiveOr operations
Fixed Code: Separated validation for ExclusiveOr (only Sint/Uint) from And/InclusiveOr (Bool/Sint/Uint)
Note: This appears to be a correctness fix rather than a security fix, but could potentially prevent type confusion issues.
3. Vulnerability Existed: not sure
Math Function Validation [third_party/rust/naga/src/valid/expression.rs] [Lines 987-1194]
Old Code: Missing validation for Radians/Degrees/FindLsb/FindMsb functions
Fixed Code: Added these functions to the validation list
Note: This appears to be feature completion rather than a security fix.
4. Vulnerability Existed: yes
Type Cast Validation [third_party/rust/naga/src/valid/expression.rs] [Lines 1321-1360]
Old Code: Basic validation for type casts without proper width checking
Fixed Code: Added proper width checking for type casts by:
- Extracting base width from the expression
- Using either the conversion width or base width
- Validating the width against the target type
Note: This prevents potential type confusion or invalid casts that could lead to memory safety issues.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.
--- /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_97_END/firefox-FIREFOX_RELEASE_97_END/layout/base/nsPresContext.h+++ /root/PatchLeaks-main/products/firefox_downloads/FIREFOX_RELEASE_98_END/firefox-FIREFOX_RELEASE_98_END/layout/base/nsPresContext.h@@ -549,9 +549,10 @@ void RegisterManagedPostRefreshObserver(mozilla::ManagedPostRefreshObserver*); void UnregisterManagedPostRefreshObserver( mozilla::ManagedPostRefreshObserver*);++ protected: void CancelManagedPostRefreshObservers();- protected: void UpdateEffectiveTextZoom(); #ifdef DEBUG
Let me analyze the diff for potential security fixes.
Vulnerability Existed: not sure
[Potential Access Control Issue] [layout/base/nsPresContext.h] [Lines 549-553]
[Old Code]
void RegisterManagedPostRefreshObserver(mozilla::ManagedPostRefreshObserver*);
void UnregisterManagedPostRefreshObserver(
mozilla::ManagedPostRefreshObserver*);
void CancelManagedPostRefreshObservers();
protected:
[Fixed Code]
void RegisterManagedPostRefreshObserver(mozilla::ManagedPostRefreshObserver*);
void UnregisterManagedPostRefreshObserver(
mozilla::ManagedPostRefreshObserver*);
protected:
void CancelManagedPostRefreshObservers();
Additional Details:
The change moves the `CancelManagedPostRefreshObservers()` method from public to protected access. While this could potentially prevent unauthorized access to this functionality, it's not clear if this was an actual security vulnerability or just a code organization improvement. The change limits who can call this method, which could prevent misuse, but without more context about how this method is used, we can't be certain if this was fixing a security issue.
If an attacker could control the contents of an iframe sandboxed with <code>allow-popups</code> but not <code>allow-scripts</code>, they were able to craft a link that, when clicked, would lead to JavaScript execution in violation of the sandbox. This vulnerability affects Firefox < 98, Firefox ESR < 91.7, and Thunderbird < 91.7.