Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(559)

Issues Search
    My Issues | Starred     Open | Closed | All

Issue 101733002: Fixed global object leak (Closed)

Created:
7 years ago by Toon Verwaest
Modified:
4 years, 6 months ago
CC:
v8-dev, Paweł Hajdan Jr.
Visibility:
Public.

Description

Fixed global object leak caused by overwriting the global receiver (the global proxy) in the global object with the global object itself. This CL additionally removes the API function to reattach a global proxy to a global object. BUG=324812 LOG=y R=dcarney@chromium.org, titzer@chromium.org Committed: https://code.google.com/p/v8/source/detail?r=18299

Patch Set 1 #

Patch Set 2 : ASSERT that Global is not called after detaching the global object #

Total comments: 1

Patch Set 3 : fixed access checks #

Patch Set 4 : #

Patch Set 5 : #

Total comments: 1

Patch Set 6 : spacing #

Total comments: 2
Unified diffs Side-by-side diffs Delta from patch set Stats (+113 lines, -116 lines) Patch
M include/v8.h View 2 chunks +6 lines, -22 lines 0 comments Download
M src/api.cc View 1 2 3 4 5 2 chunks +6 lines, -10 lines 2 comments Download
M src/bootstrapper.h View 1 chunk +0 lines, -3 lines 0 comments Download
M src/bootstrapper.cc View 1 2 1 chunk +0 lines, -11 lines 0 comments Download
M src/objects.h View 1 2 3 3 chunks +5 lines, -0 lines 0 comments Download
M src/objects-inl.h View 1 2 3 1 chunk +7 lines, -10 lines 0 comments Download
M src/runtime.h View 1 2 1 chunk +1 line, -0 lines 0 comments Download
M src/runtime.cc View 1 2 1 chunk +10 lines, -0 lines 0 comments Download
M src/v8natives.js View 1 chunk +3 lines, -4 lines 0 comments Download
M test/cctest/test-api.cc View 1 2 3 4 7 chunks +62 lines, -35 lines 0 comments Download
M test/cctest/test-decls.cc View 1 chunk +3 lines, -3 lines 0 comments Download
M test/cctest/test-object-observe.cc View 1 2 3 4 3 chunks +10 lines, -18 lines 0 comments Download

Messages

Total messages: 11 (1 generated)
Toon Verwaest
PTAL
7 years ago (2013-12-03 12:23:24 UTC) #1
dcarney
On 2013/12/03 12:23:24, Toon Verwaest wrote: > PTAL lgtm, as long as you're sure that ...
7 years ago (2013-12-03 12:29:52 UTC) #2
adamk
https://chromiumcodereview.appspot.com/101733002/diff/20001/test/cctest/test-object-observe.cc File test/cctest/test-object-observe.cc (left): https://chromiumcodereview.appspot.com/101733002/diff/20001/test/cctest/test-object-observe.cc#oldcode262 test/cctest/test-object-observe.cc:262: CHECK(inner_global->StrictEquals(CompileRun("records[1].object"))); Seems like we still want to have a ...
7 years ago (2013-12-03 21:46:11 UTC) #3
dcarney
ptal
7 years ago (2013-12-10 11:18:10 UTC) #4
Toon Verwaest
LGTM with nit. In the future we probably want to remove the global-receiver/global-proxy and global-object/global-context ...
7 years ago (2013-12-10 12:11:02 UTC) #5
titzer
LGTM. Sheriff's note: please run all webkit tests before landing
7 years ago (2013-12-11 13:34:40 UTC) #6
dcarney
On 2013/12/11 13:34:40, titzer wrote: > LGTM. > Sheriff's note: please run all webkit tests ...
7 years ago (2013-12-11 13:35:34 UTC) #7
Toon Verwaest
Committed patchset #6 manually as r18299.
7 years ago (2013-12-11 13:52:03 UTC) #8
haraken
(Reviving this very old CL...) I'm now investigating security exploits on detached iframes. https://chromiumcodereview.appspot.com/101733002/diff/100001/src/api.cc File ...
4 years, 7 months ago (2016-05-18 05:58:33 UTC) #10
Toon Verwaest
4 years, 6 months ago (2016-05-30 21:34:12 UTC) #11
Message was sent while issue was closed. 
https://codereview.chromium.org/101733002/diff/100001/src/api.cc
File src/api.cc (right):

https://codereview.chromium.org/101733002/diff/100001/src/api.cc#newcode5417
src/api.cc:5417: global = i::Handle<i::Object>(context->global_object(),
isolate);
On 2016/05/18 05:58:32, haraken wrote:
> 
> It looks like that this is doing something dangerous. When Blink calls
> Context::Global for an detached iframe, it returns a global object (which may
be
> already used by another iframe), not the global proxy object.
> 
> Is the TODO still valid?
> 

Yes. We should never leak the naked global object to blink.

Powered by Google App Engine
This is Rietveld 408576698