Closed Bug 739796 Opened 12 years ago Closed 12 years ago

Make same-origin cross-compartment location expandos visible in a compartment-per-global world

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla14

People

(Reporter: bholley, Assigned: bholley)

References

Details

Attachments

(3 files, 2 obsolete files)

part 1 - Move same-compartment security wrapping into a method on XPCWrappedNative. v1
6.19 KB, patch
gal
: review+
mrbkap
: feedback+
Details | Diff | Splinter Review
part 2 - Make same-origin cross-compartment Location object access go through the LW in the host compartment. v2
4.14 KB, patch
gal
: review+
mrbkap
: feedback-
Details | Diff | Splinter Review
part 1.5 - Make js_TransplantObjectWithWrapper and GetSameCompartmentSecurityWrapper play nicely together. v3
8.32 KB, patch
mrbkap
: review+
Details | Diff | Splinter Review 
Split off from bug 733984.
First, we do some refactoring.
Attachment #609924 - Flags: review?(mrbkap)
Attachment #609925 - Flags: review?(mrbkap)
Attachment #609925 - Flags: review+
Attachment #609925 - Flags: feedback?(mrbkap)
Attachment #609924 - Flags: review?(mrbkap)
Attachment #609924 - Flags: review+
Attachment #609924 - Flags: feedback?(mrbkap)
Darn, this turned the whole tree orange:

https://tbpl.mozilla.org/?tree=Try&rev=f886d566a87a

Looks like I didn't properly handle the interaction with TransplantObjectWithWrapper:

#0  0x0000000100030fed in MOZ_Crash () at Assertions.cpp:76
#1  0x000000010003104f in MOZ_Assert "cxCompartment == js::GetObjectCompartment(flat)" Assertions.cpp:88
#2  0x0000000103c941d4 in XPCWrappedNative::GetSameCompartmentSecurityWrapper XPCWrappedNative.cpp:2160
#3  0x0000000103d8d4e1 in xpc::WrapperFactory::Rewrap WrapperFactory.cpp:395
#4  0x0000000104adaeb3 in JSCompartment::wrap jscompartment.cpp:314
#5  0x0000000104adb2fc in JSCompartment::wrap jscompartment.cpp:357
#6  0x0000000104a94c03 in JS_WrapObject jsapi.cpp:1493
#7  0x0000000104a956ba in js_TransplantObjectWithWrapper jsapi.cpp:1691
#8  0x0000000103c987ba in XPCWrappedNative::ReparentWrapperIfFound XPCWrappedNative.cpp:1669

I'll look at it more tomorrow.
Comment on attachment 609924 [details] [diff] [review]
part 1 - Move same-compartment security wrapping into a method on XPCWrappedNative. v1

Review of attachment 609924 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/src/XPCConvert.cpp
@@ +1088,4 @@
>  
> +        // Outerize any inner windows.
> +        flat = JS_ObjectToOuterObject(cx, flat);
> +        NS_ASSERTION(flat, "bad outer object hook!");

MOZ_ASSERT?

::: js/xpconnect/src/XPCWrappedNative.cpp
@@ +2174,5 @@
> +        wrapper = xpc::WrapperFactory::WrapLocationObject(cx, flat);
> +        if (!wrapper)
> +            return NULL;
> +    }
> +    else if (NeedsSOW()) {

'} else if'?

::: js/xpconnect/src/xpcprivate.h
@@ +2707,5 @@
> +    // mFlatJSObject otherwise.
> +    //
> +    // This takes care of checking mWrapperWord to see if we already have such
> +    // a wrapper.
> +    JSObject* GetSameCompartmentSecurityWrapper(JSContext *cx);

JSObject *GetSameCompartmentSecurityWrapper
Comment on attachment 609925 [details] [diff] [review]
part 2 - Make same-origin cross-compartment Location object access go through the LW in the host compartment. v2

Review of attachment 609925 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/xpconnect/wrappers/WrapperFactory.cpp
@@ +387,5 @@
> +            // Do the double-wrapping if need be.
> +            if (IsLocationObject(obj)) {
> +                JSAutoEnterCompartment ac;
> +                if (!ac.enter(cx, obj))
> +                    return nsnull;

Null here

@@ +390,5 @@
> +                if (!ac.enter(cx, obj))
> +                    return nsnull;
> +                XPCWrappedNative *wn = GetWrappedNative(cx, obj);
> +                if (!wn)
> +                    return false;

And false here?
Comment on attachment 609924 [details] [diff] [review]
part 1 - Move same-compartment security wrapping into a method on XPCWrappedNative. v1

f=mrbkap with the same nits as Ms2ger.
Attachment #609924 - Flags: feedback?(mrbkap) → feedback+
Comment on attachment 609925 [details] [diff] [review]
part 2 - Make same-origin cross-compartment Location object access go through the LW in the host compartment. v2

With the benefit of hindsight, f- because this doesn't handle the ReparentWrapperIfFound case ;-)

I'm not sure how to fix the broken mochitests without loosening the assertion somehow, though.
Attachment #609925 - Flags: feedback?(mrbkap) → feedback-
Ugh, why do we even need to brain transplant location objects anyway? Couldn't we just null out any references to it, or replace it with the location object in the new scope? I guess maybe that wouldn't be much simpler...

Do brain transplants preserve expandos?
Summary: Make same-origin cross-compartment expandos visible in a compartment-per-global world → Make same-origin cross-compartment location expandos visible in a compartment-per-global world
Worked up a fix for the brain transplant stuff. Flagging mrbkap for review.

Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=1c7207f53975
Attachment #611951 - Flags: review?(mrbkap)
Comment on attachment 611951 [details] [diff] [review]
part 1.5: Make js_TransplantObjectWithWrapper and GetSameCompartmentSecurityWrapper play nicely together. v1

Holding my breath. :-)
Attachment #611951 - Flags: review?(mrbkap) → review+
Sigh, this is getting comical.

First of all, I hadn't noticed that we had test coverage that required SCSWs for
chrome. This seemed wrong to me, so I fixed it. Test changes included in this patch.

Additionally, the last patch caused failures when we hadn't ever done the lazy SCSW
generation before reparenting this wrapper. this meant that the SCSW really
did need to be created during the transplant, which failed for the same reasons.

This whole situation is a bit of a footgun for anyone else who ever tries to transplant
objects with SCSWs (though really, that's not exactly an easy thing regardless).
I'm sort of tempted just to get rid of the lazy generation entirely and _always_
generate SCSWs on XPCWN instantiation. That would get rid of this whole mess entirely,
and simplify the code. It would be a bit wasteful though, since we'd be generating
possibly-unnecessary SCSWs during cross-compartment cross-origin access. I'm not sure
if that's a huge deal, though.

Your call, blake. We can go the route of this patch, or I can rejigger and simplify all
this stuff so that we just create the SCSWs in XPCWN::GetNewOrUsed, and then we can just
grab them during wrapping, and not worry about when we can and can't create SCSWs during
cross-compartment wrapping.
Attachment #611951 - Attachment is obsolete: true
Attachment #612044 - Flags: review?(mrbkap)
Oh for f's sake...

So in my last try push ( https://tbpl.mozilla.org/?tree=Try&rev=bf79403e10bf ), it turned out that we aren't guaranteed to be in a given compartment (either the new or the old) during XPCWrappedNative::ReparentWrapperIfFound. Fixing that.

I pushed to try again here: https://tbpl.mozilla.org/?tree=Try&rev=ff772c14adc0

Given the track record, I'll avoid flagging for review again until we can get all the way through the unit tests without crashing during wrapper reparenting :\

Sorry for the churn, blake.
Comment on attachment 612116 [details] [diff] [review]
part 1.5 - Make js_TransplantObjectWithWrapper and GetSameCompartmentSecurityWrapper play nicely together. v3

_finally_.
Attachment #612116 - Flags: review?(mrbkap)
Attachment #612116 - Flags: review?(mrbkap) → review+
Pushed to try (without the other cpg baggage): https://tbpl.mozilla.org/?tree=Try&rev=644dd789143e
Depends on: 760118
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: