`BlocksRingBuffer` had an "entry destructor" to make it a more generic
container, and it was useful during early prototyping of the new profiler
storage (so that we could store owning pointers).
But this entry destructor is stored in an `std::function`, which gets marked as
a potential GC caller by the js rooting hazard analyzer; and as this bug found,
it's not obvious where to place `JS::AutoSuppressGCAnalysis`, because profiler
entries (including stacks) could be added on one thread while GC happens
elsewhere, which triggers the embedded `AutoAssertNoGC` check.
Since we don't actually use the entry destructor facility in the profiler, it's
easier to just get rid of it. As a bonus, it's a small optimization.
Tests that were using an entry destructor now use the `State` instead, to verify
that entries are pushed and cleared as expected.
If needed in the future outside of the profiler, `BlocksRingBuffer` could again
include an entry destructor, but it would have to be through templating, so that
the class used in the profiler wouldn't contain an `std::function`.
Differential Revision: https://phabricator.services.mozilla.com/D46738
--HG--
extra : moz-landing-system : lando
Combine the LazyScript::function_ and JSScript::global_ fields into the
BaseScript type. This provides a common definition of script realm and
compartment. Currently a non-lazy function script will set this to point
this to the global, but in future it should be made to point to
canonical function for both the lazy and non-lazy cases.
Differential Revision: https://phabricator.services.mozilla.com/D40520
--HG--
extra : moz-landing-system : lando
The realm can be read off the global object and we can remove one step
in the mergeRealms code.
Differential Revision: https://phabricator.services.mozilla.com/D40519
--HG--
extra : moz-landing-system : lando
The UpdateTimerManager has an undocumented behaviour for firing its listeners
very soon after first registration (about 10min into the first session).
Let's document that behaviour, and make it optional.
Differential Revision: https://phabricator.services.mozilla.com/D46292
--HG--
extra : moz-landing-system : lando
As it turns out, the difference between the snapped local rect and the
unsnapped local rect was not just that the former contained snapped
primitives and the latter contained unsnapped primitives, but also that
the former took into account surface inflation for primitives, the
entire clip chain instead of just the primitive's local clip, and
removal of culled primitives. As such, the picture's rects can be wildly
different, even if snapping has been taken care of earlier, and parts of
WebRender have come to rely upon this more accurate representation of a
picture.
Differential Revision: https://phabricator.services.mozilla.com/D46605
--HG--
extra : moz-landing-system : lando
Note that to avoid introducing errors, I elected against renaming everything in
the code; internally to Firefox the code still refers to "UntrustedModules";
only the relevant fields have been renamed to reference the new ping schema.
A PR for backend schema changes is in the works.
Depends on D43161
Differential Revision: https://phabricator.services.mozilla.com/D43162
--HG--
rename : toolkit/components/telemetry/docs/data/untrusted-modules-ping.rst => toolkit/components/telemetry/docs/data/third-party-modules-ping.rst
rename : toolkit/components/telemetry/tests/unit/test_UntrustedModulesPing.js => toolkit/components/telemetry/tests/unit/test_ThirdPartyModulesPing.js
extra : moz-landing-system : lando
Untrusted modules 2.0 uses MFBT `Vector`, so this patch adds the ability for
`ProcessedStack` to receive those as input.
Depends on D43160
Differential Revision: https://phabricator.services.mozilla.com/D43161
--HG--
extra : moz-landing-system : lando
* Significant cleanup to `ModuleEvaluator`
* `UntrustedModuleData` holds all of the accumulated untrusted module info for
a single process.
* `ProcessedModuleLoadEvent` holds information about an individual untrusted
module load in a Gecko-friendly, sanitized, format.
* Since multiple `ProcessModuleLoadEvent` objects may reference the same
module, we store module metadata in a shared `ModuleInfo` structure.
* The `UntrustedModulesProcessor` receives the events from `mozglue` and
processes them on a background thread:
** It does not start background processing until the main thread has gone idle.
The idea here is that we do not want to add any more background work until
we are reasonably confident that Gecko is no longer starting up or doing
other intense activity.
** Background processing runs at a background priority level, *except* when
results are requested by telemetry itself.
** Telemetry requests the data via `UntrustedModulesProcessor::GetProcessedData`
which runs at normal priority and returns a promise to the caller.
Depends on D43159
Differential Revision: https://phabricator.services.mozilla.com/D43160
--HG--
rename : toolkit/xre/ModuleEvaluator_windows.cpp => toolkit/xre/ModuleEvaluator.cpp
rename : toolkit/xre/ModuleEvaluator_windows.cpp => toolkit/xre/ModuleEvaluator.h
rename : toolkit/xre/ModuleVersionInfo_windows.cpp => toolkit/xre/ModuleVersionInfo.cpp
rename : toolkit/xre/ModuleVersionInfo_windows.h => toolkit/xre/ModuleVersionInfo.h
rename : toolkit/xre/ModuleEvaluator_windows.cpp => toolkit/xre/UntrustedModulesData.cpp
rename : toolkit/xre/ModuleEvaluator_windows.h => toolkit/xre/UntrustedModulesData.h
rename : toolkit/xre/ModuleEvaluator_windows.cpp => toolkit/xre/UntrustedModulesProcessor.cpp
rename : toolkit/xre/ModuleEvaluator_windows.h => toolkit/xre/UntrustedModulesProcessor.h
extra : moz-landing-system : lando
The `const` qualifier on `mVersion` was preventing move and copy, which we
now need this class to support.
Depends on D43158
Differential Revision: https://phabricator.services.mozilla.com/D43159
--HG--
extra : moz-landing-system : lando
* At this point our DLL blocking infra is complicated enough that I decided to
bite the bullet and move all of this code out of `mozglue/build` and into its
own subdirectory, `mozglue/dllservices`.
* We delete the original `UntrustedDllsHandler` code which is now obsolete.
* We implement mozglue's `LoaderObserver`:
** When this observer registers itself with the launcher process API, it
receives a vector containing all saved records of loaded DLLs that happened
until that moment.
** This code handles profiler labels and stackwalking suppression.
** Once a load has completed, we either pass the load on to XUL for further
processing, or save it for later if XUL is not initialized yet.
* mozglue has its own `ModuleLoadFrame` implementation for the legacy blocklist.
* `DllServicesBase` is updated to support the new interfaces.
* We implement `FallbackLoaderAPI` for `plugin-container`, `xpcshell`, and
any other non-`firefox` processes that do not have a launcher process
providing a loader API.
* We add some wide to UTF8 conversion functions.
Depends on D43157
Differential Revision: https://phabricator.services.mozilla.com/D43158
--HG--
rename : mozglue/build/Authenticode.cpp => mozglue/dllservices/Authenticode.cpp
rename : mozglue/build/Authenticode.h => mozglue/dllservices/Authenticode.h
rename : browser/app/winlauncher/freestanding/LoaderAPIInterfaces.h => mozglue/dllservices/LoaderAPIInterfaces.h
rename : browser/app/winlauncher/freestanding/ModuleLoadInfo.h => mozglue/dllservices/ModuleLoadInfo.h
rename : browser/app/winlauncher/NtLoaderAPI.h => mozglue/dllservices/NtLoaderAPI.h
rename : mozglue/build/WindowsDllBlocklist.cpp => mozglue/dllservices/WindowsDllBlocklist.cpp
rename : mozglue/build/WindowsDllBlocklist.h => mozglue/dllservices/WindowsDllBlocklist.h
rename : mozglue/build/WindowsDllBlocklistCommon.h => mozglue/dllservices/WindowsDllBlocklistCommon.h
rename : mozglue/build/WindowsDllBlocklistDefs.in => mozglue/dllservices/WindowsDllBlocklistDefs.in
rename : mozglue/build/WindowsDllServices.h => mozglue/dllservices/WindowsDllServices.h
rename : mozglue/build/gen_dll_blocklist_defs.py => mozglue/dllservices/gen_dll_blocklist_defs.py
rename : mozglue/build/moz.build => mozglue/dllservices/moz.build
rename : mozglue/build/MozglueUtils.h => mozglue/misc/WinUtils.h
extra : moz-landing-system : lando
The `freestanding` library is built with specific compiler flags to signify
that it is indeed freestanding code. That is, it does not depend on a
standard library.
One of the requirements of freestanding code is that the toolchain still
expects implementations of `memcpy`, `memmove`, `memcmp`, and `memset`.
I did briefly implement my own naive versions of these functions, but that
solution is less than ideal since the implementations must be `extern` and are
thus picked up by the entire `firefox.exe` binary. This denies the rest of
`firefox.exe` the benefit of optimized implementations. On Windows, the
sandbox is linked into `firefox.exe`, so we cannot just shrug and
assume that naive implementations will not have any effect on anything.
There are, however, optimized implementations of these functions that are
exported by `ntdll.dll`. They are not included in the `ntdll.lib` that is
included in the Windows SDK. Using `llvm-dlltool`, we can build an import
library containing the missing entries and then add that library to `OS_LIBS`.
Depends on D43156
Differential Revision: https://phabricator.services.mozilla.com/D43157
--HG--
extra : moz-landing-system : lando
* We refactor the blocklist code. Code that may possibly run before
initialization of the Win32 subsystem and the CRT is contained within the
`freestanding` library.
* The `freestanding` library's static initializers are placed in their own
section so that they may be manually invoked separately from the remaining
initializers in the binary.
* `CheckBlockInfo` and `IsDllAllowed` are modified to return a `BlockAction`
enum instead of a `bool`. This will be used more extensively in the future for
LSP blocking.
* The launcher process now hooks `LdrLoadDll` in addition to
`NtMapViewOfSection`. This is necessary so that we can collect timing
information.
* Telemetry recorders must implement the `LoaderObserver` interface.
* `ModuleLoadFrame` is a RAII class that collects the information about the
DLL load and dispatches the information to `LoaderObserver`s.
* The launcher process exposes an implementation of the `LoaderAPI` interface
that may be called by either the launcher process blocklist or the legacy
blocklist in `mozglue`.
* During startup, the launcher process implements its own `LoaderObserver`.
Once mozglue is running, it connects its `LoaderObserver` to the launcher
process, receives a vector containing the module load events, and then
stores and forwards them into XUL.
Depends on D43155
Differential Revision: https://phabricator.services.mozilla.com/D43156
--HG--
rename : browser/app/winlauncher/DllBlocklistWin.cpp => browser/app/winlauncher/DllBlocklistInit.cpp
rename : browser/app/winlauncher/DllBlocklistWin.h => browser/app/winlauncher/DllBlocklistInit.h
rename : browser/app/winlauncher/DllBlocklistWin.cpp => browser/app/winlauncher/freestanding/DllBlocklist.cpp
rename : browser/app/winlauncher/DllBlocklistWin.h => browser/app/winlauncher/freestanding/DllBlocklist.h
rename : browser/app/winlauncher/moz.build => browser/app/winlauncher/freestanding/moz.build
extra : moz-landing-system : lando
This patch adds the following:
* The `AllocatedUnicodeString` class which encapsulates a `UNICODE_STRING` and
owns its buffer. The buffers are null-terminated so that they may be used as
C-style strings without modification.
** We do not allow either creation or copying within XUL
* `RtlGetCurrentThreadId` and a test to validate it, so that we may obtain the
current thread ID directly from the `TEB` when we do not yet have access to
kernel32.
* An implementation of `SRWLock` that uses Rtl instead of Win32 so that we may
use them before we have access to Win32 DLLs.
* A memory allocation policy that uses Rtl heap functions so that we may use
MFBT `Vector` in code that might not yet have access to Win32 heap functions.
Differential Revision: https://phabricator.services.mozilla.com/D43155
--HG--
extra : moz-landing-system : lando
The two remaining consumers don't seem to depend on actually using this
specific nsresult in any way.
Differential Revision: https://phabricator.services.mozilla.com/D46462
--HG--
extra : moz-landing-system : lando
The changes to the return type of MerchantValidationEvent::init are because
Result doesn't allow having an ErrorResult (or any other type without a copy
constructor) as its error type. Plus we would have had the impedance mismatch
between Result<Ok, nsresult> (which is what URL resolution on the document
returns) and Result<Ok, ErrorResult> anyway.
Differential Revision: https://phabricator.services.mozilla.com/D46461
--HG--
extra : moz-landing-system : lando
Also, since OnProxyAvailable always happens on main regardless of the target we
set, don't bother setting the target.
Differential Revision: https://phabricator.services.mozilla.com/D46603
--HG--
extra : moz-landing-system : lando
Using left shift on a uint8_t promotes it to a signed integer. If the shift is
large enough that the sign bit gets affected, we have undefined behavior. This
patch fixes this by first casting to uint32_t.
Differential Revision: https://phabricator.services.mozilla.com/D46820
--HG--
extra : moz-landing-system : lando
If the sets get too big we cannot allocate anything else, we'll just empty them
and invalidate the whole document.
Differential Revision: https://phabricator.services.mozilla.com/D46828
--HG--
extra : moz-landing-system : lando
People keep adding useless null-checks and it was not clear what the consensus
was from bug 1441165, but this should be unobjectionable I guess.
Differential Revision: https://phabricator.services.mozilla.com/D46781
--HG--
extra : moz-landing-system : lando
We compare two file ids to check the current process is launched from the same
executable. However, our telemetry showed a number of Win7 users failed to open
a file handle of the parent process with STATUS_OBJECT_PATH_NOT_FOUND even
though we opened a process handle and retrieved a module path of the parent
process successfully. We don't have data to explain how this happens or why
this happens only on Win7, Win10 10240, and 10586.
To mitigate this situation, this patch introduces a logic to compare NT path
strings. The benefit from doing this is 1) we don't have to open a file handle
of a parent process executable and 2) when we get an NT path, a network drive
or a symbolic link is already solved.
This new logic is much faster, but we still compare file ids on the first
attempt to minimize the impact. We fall back to the new logic only if we
detect the STATUS_OBJECT_PATH_NOT_FOUND failure.
Differential Revision: https://phabricator.services.mozilla.com/D45476
--HG--
extra : moz-landing-system : lando