a50f085eb3e6c506fd8e17acb669ef91b6f31390: Bug 1562292: Part 1c - Set BrowsingContext Closed flag at the same time as outer window's. r=nika
Kris Maglione <maglione.k@gmail.com> - Thu, 01 Aug 2019 19:46:32 -0700 - rev 488063
Push 36435 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:46:49 +0000
Bug 1562292: Part 1c - Set BrowsingContext Closed flag at the same time as outer window's. r=nika We rely on the Closed flag to avoid targeting named window open operations to windows which have already closed. The DocShell's lookup logic checks the Closed flag of the outer window, while BrowsingContext's checks the flag of the context. The latter, however, is only set when the window's DocShell is destroyed, which happens much later, and leaves closed windows returning true from IsTargetable() for much longer than they should. This patch immediately sets the BrowsingContext's closed flag at the same time as we set the same flag on the outer window, and leaves the existing setters in case of any corner cases. Differential Revision: https://phabricator.services.mozilla.com/D40494
a8ac7bcafc270b5be3eca84efebcde672fe8fba5: Bug 1562292: Part 1b.2 - Don't fall back to named lookup for inaccessible special name. r=nika
Kris Maglione <maglione.k@gmail.com> - Thu, 08 Aug 2019 11:43:38 -0700 - rev 488062
Push 36435 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:46:49 +0000
Bug 1562292: Part 1b.2 - Don't fall back to named lookup for inaccessible special name. r=nika Currently, if a window with a special name is inaccessible to the caller, we fall back to ordinary named lookup, which is not desirable. This patch changes that behavior so that we never attempt fallback for special names. Differential Revision: https://phabricator.services.mozilla.com/D41260
f1fc2382346d163fe18a8fe5d323aafa759e1317: Bug 1562292: Part 1b.1 - Fix FindWithSpecialName with inaccessible "_parent". r=nika
Kris Maglione <maglione.k@gmail.com> - Thu, 01 Aug 2019 18:45:47 -0700 - rev 488061
Push 36435 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:46:49 +0000
Bug 1562292: Part 1b.1 - Fix FindWithSpecialName with inaccessible "_parent". r=nika The special name "_parent" resolves to the parent window when one exists, or the current target window if it does not. Either way, it returns null if the target is inaccessible. The current logic, however, treats inaccessible the same as nonexistent, and returns the current window if it is has a parent from which it is sandboxed. This differs from the corresponding DocShell logic, which returns null in that case. This patch aligns the BrowsingContext behavior with the DocShell behavior. Differential Revision: https://phabricator.services.mozilla.com/D40493
d513683e1fdbfdb79f5112e9745f2fc0fb4e92fe: Bug 1562292: Part 1a - Consider requesting context in BrowsingContext lookup methods. r=farre
Kris Maglione <maglione.k@gmail.com> - Tue, 30 Jul 2019 17:30:55 -0700 - rev 488060
Push 36435 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:46:49 +0000
Bug 1562292: Part 1a - Consider requesting context in BrowsingContext lookup methods. r=farre Access to a particular named browsing context depends on the caller who is attempting the access. For a call to `parent.open(..., name)`, for instance, it's the privileges of the sub-frame making the open() call that matter, even though the name resolution happens relative to the parent. The current BrowsingContext FindWithName logic always considers only the access of the BrowsingContext it's searching relative to, regardless of the caller, while the corresponding DocShell logic correctly takes the caller into account. This patch updates the APIs to allow passing a specific accessing BrowsingContext, and falls back to the target when one isn't passed (e.g., by WebIDL callers, to which the new parameter is not exposed). Differential Revision: https://phabricator.services.mozilla.com/D40492
99d4d3837b3ba32d26ece9fe77e337b968199283: Merge mozilla-central to mozilla-inbound. a=merge CLOSED TREE
Ciure Andrei <aciure@mozilla.com> - Wed, 14 Aug 2019 19:37:05 +0300 - rev 488059
Push 36435 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:46:49 +0000
Merge mozilla-central to mozilla-inbound. a=merge CLOSED TREE
b18e834a1dafe9e1b8e36585239027030e3d07e3: bug 1569875: remote: fix link to Prefs.html; r=me a=doc
Andreas Tolfsen <ato@sny.no> - Wed, 14 Aug 2019 14:42:21 +0100 - rev 488058
Push 36435 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:46:49 +0000
bug 1569875: remote: fix link to Prefs.html; r=me a=doc MANUAL PUSH: doc change DONTBUILD
144fbfb409b72b5849ace2a1e3c199c259f7c1d3: Merge autoland to mozilla-central. a=merge
Brindusan Cristian <cbrindusan@mozilla.com> - Thu, 15 Aug 2019 12:43:29 +0300 - rev 488057
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Merge autoland to mozilla-central. a=merge
26094588b48e14bb39fb838196e8d489b1a4c3ee: Bug 1573886 - Fix backdrop-filter blur errors due to incorrect scaling r=kvark
Connor Brewster <cbrewster@mozilla.com> - Wed, 14 Aug 2019 20:13:06 +0000 - rev 488056
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1573886 - Fix backdrop-filter blur errors due to incorrect scaling r=kvark Differential Revision: https://phabricator.services.mozilla.com/D42013
ed066ea4b64cf7ec8253027ad11bf0f90d12c27b: Bug 1573946 - Remove unused FxA toolbar menu strings r=flod
Vijay Budhram <vbudhram@mozilla.com> - Wed, 14 Aug 2019 19:28:02 +0000 - rev 488055
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1573946 - Remove unused FxA toolbar menu strings r=flod Differential Revision: https://phabricator.services.mozilla.com/D42017
d8ac382b5f1790a5da7e2da12e4e1c92c39bb22b: Bug 1479960 - Add unit tests for shared memory freezing. r=froydnj
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:52 +0000 - rev 488054
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Add unit tests for shared memory freezing. r=froydnj Also refactor SharedMemoryBasic::SystemProtect to allow testing cases that are expected to fail. Depends on D26748 Differential Revision: https://phabricator.services.mozilla.com/D26749
86cb672b7000844c4802bc890e7b759e42e0e722: Bug 1536697 - Fix error handling in base::SharedMemory::Map. r=froydnj
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:51 +0000 - rev 488053
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1536697 - Fix error handling in base::SharedMemory::Map. r=froydnj If mmap failed, we'd leave the memory_ member variable set to MAP_FAILED, but everything else in this file checks for nullptr (and only nullptr) to test if the pointer is valid. Also, this removes the debug assertion that the mmap succeeded, to allow writing unit tests where we expect it to fail (e.g., for insufficient permissions). Depends on D26747 Differential Revision: https://phabricator.services.mozilla.com/D26748
87737e44c8b7537b159dfa0422ee599f85caf2c3: Bug 1426526 - Remove references to the old Chromium temporary file prefix. r=gsvelto,florian
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:43 +0000 - rev 488052
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1426526 - Remove references to the old Chromium temporary file prefix. r=gsvelto,florian With the removal of the old Chromium file_util code, we should no longer be using temporary files with names starting with "org.chromium.", so the crash reporter and main thread I/O test no longer need to recognize that prefix. Differential Revision: https://phabricator.services.mozilla.com/D34629
f936472f7576d515b673a4e42811a7daf0f3214d: Bug 1426526 - Delete file_util from ex-Chromium IPC source. r=froydnj
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:42 +0000 - rev 488051
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1426526 - Delete file_util from ex-Chromium IPC source. r=froydnj Depends on D26746 Differential Revision: https://phabricator.services.mozilla.com/D26747
c3ca7014893cd993088b4e6ad5f333ef7eed10a9: Bug 1479960 - Convert MemMapSnapshot to use frozen shared memory. r=kmag
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:40 +0000 - rev 488050
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Convert MemMapSnapshot to use frozen shared memory. r=kmag Depends on D26745 Differential Revision: https://phabricator.services.mozilla.com/D26746
1fa598bf26998154cfc2c189a2a5f7fb862c7640: Bug 1479960 - Give SharedStringMap a magic number so that all zeroes isn't a valid instance. r=kmag
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:38 +0000 - rev 488049
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Give SharedStringMap a magic number so that all zeroes isn't a valid instance. r=kmag There was a strange bug when converting SharedStringMap to use shared memory: on Android, some tests would fail because a pref wasn't set or there was something wrong with an expected error message. The root cause was that mapping ashmem with MAP_PRIVATE results in all zeroes (see bug 1525803), but that was read as a valid SharedStringMap with length 0. To prevent any possible future issues like that, this patch adds a nonzero magic number to the header. It fits into padding on 64-bit and the cost of setting and checking it should be essentially free. Depends on D26744 Differential Revision: https://phabricator.services.mozilla.com/D26745
0f466f2a18c0fcf9e552ea07158e847f88ca9950: Bug 1479960 - Make AutoMemMap not fstat() the mapped object if it doesn't need to. r=kmag
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:36 +0000 - rev 488048
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Make AutoMemMap not fstat() the mapped object if it doesn't need to. r=kmag One problem with using shared memory instead of files for MemMapSnapshot is that AutoMemMap was trying to use fstat() to obtain the object size; that doesn't work with ashmem on Android and was causing problems with the Mac sandbox, but it's not necessary, because we already know the size. This patch changes it to not do that. Depends on D26743 Differential Revision: https://phabricator.services.mozilla.com/D26744
225411558a4eaa436ef6036eee1513427a156413: Bug 1479960 - Add freezing of IPC shared memory. r=froydnj,kmag
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:34 +0000 - rev 488047
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Add freezing of IPC shared memory. r=froydnj,kmag This allows writing to shared memory and then making it read-only before sharing it to other processes, such that a malicious sandboxed process cannot regain write access. This is currently available only in the low-level base::SharedMemory interface. The freeze operation exposes the common subset of read-only shared memory that we can implement on all supported OSes: with some APIs (POSIX shm_open) we can't revoke writeability from existing capabilies, while for others (Android ashmem) we *must* revoke it. Thus, we require that the writeable capability not have been duplicated or shared to another process, and consume it as part of freezing. Also, because in some backends need special handling at creation time, freezeability must be explicitly requested. In particular, this doesn't allow giving an untrusted process read-only access to memory that the original process can write. Note that on MacOS before 10.12 this will use temporary files in order to avoid an OS security bug that allows regaining write access; those OS versions are no longer supported by Apple (but are supported by Firefox). Depends on D26742 Differential Revision: https://phabricator.services.mozilla.com/D26743
ddfa5ff8106195214d932cedc963fe2f9191c5d0: Bug 1479960 - Fix the main thread I/O tests to handle the IPC shared memory changes. r=florian
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:33 +0000 - rev 488046
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Fix the main thread I/O tests to handle the IPC shared memory changes. r=florian The tests for unexpected main thread I/O had exemptions for the specific paths that were being used for shared memory, which would cause it to fail with the changes in this bug. This patch does two things: 1. On Linux, /dev/shm is always tmpfs (a memory filesystem), so it's not going to cause disk I/O, and it's used by glibc to implement the POSIX standard shm_open API. This allows all /dev/shm paths instead of limiting it to a hard-coded prefix. 2. On MacOS, with the patches in this bug, we'll no longer use temporary files for shared memory on current OS versions, but we still need them on older versions to avoid an OS bug (https://crbug.com/project-zero/1671), and they are backed by disk in this case, so we want to allow only the IPC files. However, the path prefix has changed. Differential Revision: https://phabricator.services.mozilla.com/D34628
6da235c5a77c5fc23b11a7456c588974f1de878c: Bug 1479960 - Clean up shared_memory_posix error handling. r=froydnj
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:31 +0000 - rev 488045
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Clean up shared_memory_posix error handling. r=froydnj This uses RAII to handle error-case cleanup in the POSIX backend for SharedMemory::Create, to simplify the complexity that will be added to support freezing. Depends on D26741 Differential Revision: https://phabricator.services.mozilla.com/D26742
bdf7a041928aa4673de020df11c069e0af996d50: Bug 1479960 - Fix max_size in shared_memory_posix. r=froydnj
Jed Davis <jld@mozilla.com> - Wed, 14 Aug 2019 22:48:29 +0000 - rev 488044
Push 36434 by cbrindusan@mozilla.com at Thu, 15 Aug 2019 09:44:30 +0000
Bug 1479960 - Fix max_size in shared_memory_posix. r=froydnj The Unix backend for shared memory needs to keep the mapped size to pass to munmap, while the Windows backend doesn't. Currently it's reusing the max_size field, and then zeroing it when it's unmapped, which breaks the freezing use case. This patch uses a dedicated field for that. Depends on D26740 Differential Revision: https://phabricator.services.mozilla.com/D26741
(0) -300000 -100000 -30000 -10000 -3000 -1000 -300 -100 -50 -20 +20 +50 +100 +300 +1000 +3000 +10000 +30000 +100000 tip