[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [Git][tpo/applications/tor-browser][base-browser-128.3.0esr-14.0-1] Bug 1911745 - Unify BrowsingContext flag coherency checks, r=mccr8



Title: GitLab

ma1 pushed to branch base-browser-128.3.0esr-14.0-1 at The Tor Project / Applications / Tor Browser

Commits:

  • eda9f7de
    by Nika Layzell at 2024-10-01T22:29:35+02:00
    Bug 1911745 - Unify BrowsingContext flag coherency checks, r=mccr8
    
    Previously these checks were largely diagnostic tools for finding bugs
    in other code as it evolves. This unifies the checks a bit more and
    makes them stronger for BrowsingContexts created over IPC, providing a
    place for more coherency checks to be added in the future.
    
    Differential Revision: https://phabricator.services.mozilla.com/D218860

2 changed files:

Changes:

  • docshell/base/BrowsingContext.cpp
    ... ... @@ -578,9 +578,20 @@ mozilla::ipc::IPCResult BrowsingContext::CreateFromIPC(
    578 578
       context->mRequestContextId = aInit.mRequestContextId;
    
    579 579
       // NOTE: Private browsing ID is set by `SetOriginAttributes`.
    
    580 580
     
    
    581
    +  if (const char* failure =
    
    582
    +          context->BrowsingContextCoherencyChecks(aOriginProcess)) {
    
    583
    +    mozilla::ipc::IProtocol* actor = aOriginProcess;
    
    584
    +    if (!actor) {
    
    585
    +      actor = ContentChild::GetSingleton();
    
    586
    +    }
    
    587
    +    return IPC_FAIL_UNSAFE_PRINTF(actor, "Incoherent BrowsingContext: %s",
    
    588
    +                                  failure);
    
    589
    +  }
    
    590
    +
    
    581 591
       Register(context);
    
    582 592
     
    
    583
    -  return context->Attach(/* aFromIPC */ true, aOriginProcess);
    
    593
    +  context->Attach(/* aFromIPC */ true, aOriginProcess);
    
    594
    +  return IPC_OK();
    
    584 595
     }
    
    585 596
     
    
    586 597
     BrowsingContext::BrowsingContext(WindowContext* aParentWindow,
    
    ... ... @@ -795,8 +806,64 @@ void BrowsingContext::Embed() {
    795 806
       }
    
    796 807
     }
    
    797 808
     
    
    798
    -mozilla::ipc::IPCResult BrowsingContext::Attach(bool aFromIPC,
    
    799
    -                                                ContentParent* aOriginProcess) {
    
    809
    +const char* BrowsingContext::BrowsingContextCoherencyChecks(
    
    810
    +    ContentParent* aOriginProcess) {
    
    811
    +#define COHERENCY_ASSERT(condition) \
    
    812
    +  if (!(condition)) return "Assertion " #condition " failed";
    
    813
    +
    
    814
    +  if (mGroup->IsPotentiallyCrossOriginIsolated() !=
    
    815
    +      (Top()->GetOpenerPolicy() ==
    
    816
    +       nsILoadInfo::OPENER_POLICY_SAME_ORIGIN_EMBEDDER_POLICY_REQUIRE_CORP)) {
    
    817
    +    return "Invalid CrossOriginIsolated state";
    
    818
    +  }
    
    819
    +
    
    820
    +  if (aOriginProcess && !IsContent()) {
    
    821
    +    return "Content cannot create chrome BCs";
    
    822
    +  }
    
    823
    +
    
    824
    +  // LoadContext should generally match our opener or parent.
    
    825
    +  if (IsContent()) {
    
    826
    +    if (RefPtr<BrowsingContext> opener = GetOpener()) {
    
    827
    +      COHERENCY_ASSERT(opener->mType == mType);
    
    828
    +      COHERENCY_ASSERT(opener->mGroup == mGroup);
    
    829
    +      COHERENCY_ASSERT(opener->mUseRemoteTabs == mUseRemoteTabs);
    
    830
    +      COHERENCY_ASSERT(opener->mUseRemoteSubframes == mUseRemoteSubframes);
    
    831
    +      COHERENCY_ASSERT(opener->mPrivateBrowsingId == mPrivateBrowsingId);
    
    832
    +      COHERENCY_ASSERT(
    
    833
    +          opener->mOriginAttributes.EqualsIgnoringFPD(mOriginAttributes));
    
    834
    +    }
    
    835
    +  }
    
    836
    +  if (RefPtr<BrowsingContext> parent = GetParent()) {
    
    837
    +    COHERENCY_ASSERT(parent->mType == mType);
    
    838
    +    COHERENCY_ASSERT(parent->mGroup == mGroup);
    
    839
    +    COHERENCY_ASSERT(parent->mUseRemoteTabs == mUseRemoteTabs);
    
    840
    +    COHERENCY_ASSERT(parent->mUseRemoteSubframes == mUseRemoteSubframes);
    
    841
    +    COHERENCY_ASSERT(parent->mPrivateBrowsingId == mPrivateBrowsingId);
    
    842
    +    COHERENCY_ASSERT(
    
    843
    +        parent->mOriginAttributes.EqualsIgnoringFPD(mOriginAttributes));
    
    844
    +  }
    
    845
    +
    
    846
    +  // UseRemoteSubframes and UseRemoteTabs must match.
    
    847
    +  if (mUseRemoteSubframes && !mUseRemoteTabs) {
    
    848
    +    return "Cannot set useRemoteSubframes without also setting useRemoteTabs";
    
    849
    +  }
    
    850
    +
    
    851
    +  // Double-check OriginAttributes/Private Browsing
    
    852
    +  // Chrome browsing contexts must not have a private browsing OriginAttribute
    
    853
    +  // Content browsing contexts must maintain the equality:
    
    854
    +  // mOriginAttributes.mPrivateBrowsingId == mPrivateBrowsingId
    
    855
    +  if (IsChrome()) {
    
    856
    +    COHERENCY_ASSERT(mOriginAttributes.mPrivateBrowsingId == 0);
    
    857
    +  } else {
    
    858
    +    COHERENCY_ASSERT(mOriginAttributes.mPrivateBrowsingId ==
    
    859
    +                     mPrivateBrowsingId);
    
    860
    +  }
    
    861
    +#undef COHERENCY_ASSERT
    
    862
    +
    
    863
    +  return nullptr;
    
    864
    +}
    
    865
    +
    
    866
    +void BrowsingContext::Attach(bool aFromIPC, ContentParent* aOriginProcess) {
    
    800 867
       MOZ_DIAGNOSTIC_ASSERT(!mEverAttached);
    
    801 868
       MOZ_DIAGNOSTIC_ASSERT_IF(aFromIPC, aOriginProcess || XRE_IsContentProcess());
    
    802 869
       mEverAttached = true;
    
    ... ... @@ -815,25 +882,15 @@ mozilla::ipc::IPCResult BrowsingContext::Attach(bool aFromIPC,
    815 882
       MOZ_DIAGNOSTIC_ASSERT(mGroup);
    
    816 883
       MOZ_DIAGNOSTIC_ASSERT(!mIsDiscarded);
    
    817 884
     
    
    818
    -  if (mGroup->IsPotentiallyCrossOriginIsolated() !=
    
    819
    -      (Top()->GetOpenerPolicy() ==
    
    820
    -       nsILoadInfo::OPENER_POLICY_SAME_ORIGIN_EMBEDDER_POLICY_REQUIRE_CORP)) {
    
    821
    -    MOZ_DIAGNOSTIC_ASSERT(aFromIPC);
    
    822
    -    if (aFromIPC) {
    
    823
    -      auto* actor = aOriginProcess
    
    824
    -                        ? static_cast<mozilla::ipc::IProtocol*>(aOriginProcess)
    
    825
    -                        : static_cast<mozilla::ipc::IProtocol*>(
    
    826
    -                              ContentChild::GetSingleton());
    
    827
    -      return IPC_FAIL(
    
    828
    -          actor,
    
    829
    -          "Invalid CrossOriginIsolated state in BrowsingContext::Attach call");
    
    830
    -    } else {
    
    831
    -      MOZ_CRASH(
    
    832
    -          "Invalid CrossOriginIsolated state in BrowsingContext::Attach call");
    
    885
    +#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
    
    886
    +  // We'll already have checked this if `aFromIPC` is set before calling this
    
    887
    +  // function.
    
    888
    +  if (!aFromIPC) {
    
    889
    +    if (const char* failure = BrowsingContextCoherencyChecks(aOriginProcess)) {
    
    890
    +      MOZ_CRASH_UNSAFE_PRINTF("Incoherent BrowsingContext: %s", failure);
    
    833 891
         }
    
    834 892
       }
    
    835
    -
    
    836
    -  AssertCoherentLoadContext();
    
    893
    +#endif
    
    837 894
     
    
    838 895
       // Add ourselves either to our parent or BrowsingContextGroup's child list.
    
    839 896
       // Important: We shouldn't return IPC_FAIL after this point, since the
    
    ... ... @@ -915,7 +972,6 @@ mozilla::ipc::IPCResult BrowsingContext::Attach(bool aFromIPC,
    915 972
       if (XRE_IsParentProcess()) {
    
    916 973
         Canonical()->CanonicalAttach();
    
    917 974
       }
    
    918
    -  return IPC_OK();
    
    919 975
     }
    
    920 976
     
    
    921 977
     void BrowsingContext::Detach(bool aFromIPC) {
    
    ... ... @@ -1768,40 +1824,6 @@ nsresult BrowsingContext::SetOriginAttributes(const OriginAttributes& aAttrs) {
    1768 1824
       return NS_OK;
    
    1769 1825
     }
    
    1770 1826
     
    
    1771
    -void BrowsingContext::AssertCoherentLoadContext() {
    
    1772
    -#ifdef MOZ_DIAGNOSTIC_ASSERT_ENABLED
    
    1773
    -  // LoadContext should generally match our opener or parent.
    
    1774
    -  if (IsContent()) {
    
    1775
    -    if (RefPtr<BrowsingContext> opener = GetOpener()) {
    
    1776
    -      MOZ_DIAGNOSTIC_ASSERT(opener->mType == mType);
    
    1777
    -      MOZ_DIAGNOSTIC_ASSERT(opener->mGroup == mGroup);
    
    1778
    -      MOZ_DIAGNOSTIC_ASSERT(opener->mUseRemoteTabs == mUseRemoteTabs);
    
    1779
    -      MOZ_DIAGNOSTIC_ASSERT(opener->mUseRemoteSubframes == mUseRemoteSubframes);
    
    1780
    -      MOZ_DIAGNOSTIC_ASSERT(opener->mPrivateBrowsingId == mPrivateBrowsingId);
    
    1781
    -      MOZ_DIAGNOSTIC_ASSERT(
    
    1782
    -          opener->mOriginAttributes.EqualsIgnoringFPD(mOriginAttributes));
    
    1783
    -    }
    
    1784
    -  }
    
    1785
    -  if (RefPtr<BrowsingContext> parent = GetParent()) {
    
    1786
    -    MOZ_DIAGNOSTIC_ASSERT(parent->mType == mType);
    
    1787
    -    MOZ_DIAGNOSTIC_ASSERT(parent->mGroup == mGroup);
    
    1788
    -    MOZ_DIAGNOSTIC_ASSERT(parent->mUseRemoteTabs == mUseRemoteTabs);
    
    1789
    -    MOZ_DIAGNOSTIC_ASSERT(parent->mUseRemoteSubframes == mUseRemoteSubframes);
    
    1790
    -    MOZ_DIAGNOSTIC_ASSERT(parent->mPrivateBrowsingId == mPrivateBrowsingId);
    
    1791
    -    MOZ_DIAGNOSTIC_ASSERT(
    
    1792
    -        parent->mOriginAttributes.EqualsIgnoringFPD(mOriginAttributes));
    
    1793
    -  }
    
    1794
    -
    
    1795
    -  // UseRemoteSubframes and UseRemoteTabs must match.
    
    1796
    -  MOZ_DIAGNOSTIC_ASSERT(
    
    1797
    -      !mUseRemoteSubframes || mUseRemoteTabs,
    
    1798
    -      "Cannot set useRemoteSubframes without also setting useRemoteTabs");
    
    1799
    -
    
    1800
    -  // Double-check OriginAttributes/Private Browsing
    
    1801
    -  AssertOriginAttributesMatchPrivateBrowsing();
    
    1802
    -#endif
    
    1803
    -}
    
    1804
    -
    
    1805 1827
     void BrowsingContext::AssertOriginAttributesMatchPrivateBrowsing() {
    
    1806 1828
       // Chrome browsing contexts must not have a private browsing OriginAttribute
    
    1807 1829
       // Content browsing contexts must maintain the equality:
    

  • docshell/base/BrowsingContext.h
    ... ... @@ -984,7 +984,18 @@ class BrowsingContext : public nsILoadContext, public nsWrapperCache {
    984 984
                                            bool aHasPostData);
    
    985 985
     
    
    986 986
      private:
    
    987
    -  mozilla::ipc::IPCResult Attach(bool aFromIPC, ContentParent* aOriginProcess);
    
    987
    +  // Assert that this BrowsingContext is coherent relative to related
    
    988
    +  // BrowsingContexts. This will be run before the BrowsingContext is attached.
    
    989
    +  //
    
    990
    +  // A non-null string return value indicates that there was a coherency check
    
    991
    +  // failure, which will be handled with either a crash or IPC failure.
    
    992
    +  //
    
    993
    +  // If provided, `aOriginProcess` is the process which is responsible for the
    
    994
    +  // creation of this BrowsingContext.
    
    995
    +  [[nodiscard]] const char* BrowsingContextCoherencyChecks(
    
    996
    +      ContentParent* aOriginProcess);
    
    997
    +
    
    998
    +  void Attach(bool aFromIPC, ContentParent* aOriginProcess);
    
    988 999
     
    
    989 1000
       // Recomputes whether we can execute scripts in this BrowsingContext based on
    
    990 1001
       // the value of AllowJavascript() and whether scripts are allowed in the
    
    ... ... @@ -998,10 +1009,6 @@ class BrowsingContext : public nsILoadContext, public nsWrapperCache {
    998 1009
     
    
    999 1010
       void AssertOriginAttributesMatchPrivateBrowsing();
    
    1000 1011
     
    
    1001
    -  // Assert that the BrowsingContext's LoadContext flags appear coherent
    
    1002
    -  // relative to related BrowsingContexts.
    
    1003
    -  void AssertCoherentLoadContext();
    
    1004
    -
    
    1005 1012
       friend class ::nsOuterWindowProxy;
    
    1006 1013
       friend class ::nsGlobalWindowOuter;
    
    1007 1014
       friend class WindowContext;
    

  • _______________________________________________
    tor-commits mailing list
    tor-commits@xxxxxxxxxxxxxxxxxxxx
    https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits