Closed Bug 1074863 Opened 10 years ago Closed 10 years ago

Assertion failure: GetXrayType(obj) == XrayForJSObject (We should use XrayWrappers for standard ES Object, Array, and Function instances modulo this hack)

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla35

People

(Reporter: cbook, Assigned: bholley)

References

(
URL
)

Details

(Keywords: assertion)

Attachments

(2 files, 1 obsolete file)

windgb data win 7 trunk debug build
6.88 KB, text/plain
Details
Handle named constructors which have DOMXrayTraits while being simultaneously JSProto_Function. v2
3.20 KB, patch
peterv
: review+
Details | Diff | Splinter Review
found via bughunter: go to : http://edition.cnn.com/ in a windows 7 debug build (also seems to assertion failure on mac) ->>Assertion failure: GetXrayType(obj) == XrayForJSObject (We should use XrayWrappers for standard ES Object, Array, and Function instances modulo this hack) marking as security bug since exploitablity risk was marked as medium on mac assertion failures Assertion failure: GetXrayType(obj) == XrayForJSObject (We should use XrayWrappe rs for standard ES Object, Array, and Function instances modulo this hack), at c :\users\mozilla\debug-builds\mozilla-central\js\xpconnect\wrappers\WrapperFactor y.cpp:120 xpc::WrapperFactory::PrepareForWrapping+0x000002AC [xul +0x0000000000960CEC] (c: \users\mozilla\debug-builds\mozilla-central\js\xpconnect\wrappers\wrapperfactory .cpp, line 204) JSCompartment::wrap+0x000005B8 [mozjs +0x000000000052EC48] (c:\users\mozilla\deb ug-builds\mozilla-central\js\src\jscompartment.cpp, line 406) JSCompartment::wrap+0x00000250 [mozjs +0x000000000052F8D0] (c:\users\mozilla\deb ug-builds\mozilla-central\js\src\jscompartmentinlines.h, line 117) js::CrossCompartmentWrapper::get+0x0000011C [mozjs +0x0000000000647A9C] (c:\user s\mozilla\debug-builds\mozilla-central\js\src\proxy\crosscompartmentwrapper.cpp, line 138) js::Proxy::get+0x00000117 [mozjs +0x0000000000647C67] (c:\users\mozilla\debug-bu ilds\mozilla-central\js\src\proxy\proxy.cpp, line 278) js::proxy_GetGeneric+0x0000001C [mozjs +0x000000000062F23C] (c:\users\mozilla\de bug-builds\mozilla-central\js\src\proxy\proxy.cpp, line 645) JSObject::getGeneric+0x000000CC [mozjs +0x000000000000CA3C] (c:\users\mozilla\de bug-builds\mozilla-central\js\src\jsobj.h, line 1028) GetPropertyOperation+0x000002D0 [mozjs +0x0000000000689D30] (c:\users\mozilla\de bug-builds\mozilla-central\js\src\vm\interpreter.cpp, line 251) Interpret+0x00007C2F [mozjs +0x000000000069336F] (c:\users\mozilla\debug-builds\ mozilla-central\js\src\vm\interpreter.cpp, line 2389) js::RunScript+0x0000021F [mozjs +0x00000000006A10AF] (c:\users\mozilla\debug-bui lds\mozilla-central\js\src\vm\interpreter.cpp, line 434) js::Invoke+0x00000439 [mozjs +0x000000000069C949] (c:\users\mozilla\debug-builds \mozilla-central\js\src\vm\interpreter.cpp, line 503) js::Invoke+0x00000264 [mozjs +0x000000000069C494] (c:\users\mozilla\debug-builds \mozilla-central\js\src\vm\interpreter.cpp, line 540) js::jit::DoCallFallback+0x00000521 [mozjs +0x00000000002AF041] (c:\users\mozilla \debug-builds\mozilla-central\js\src\jit\baselineic.cpp, line 8638) UNKNOWN 0x00000000266D6D22 UNKNOWN 0x000000000E5B7710 UNKNOWN 0x00000000266D0A19 EnterBaseline+0x0000026E [mozjs +0x00000000002B63EE] (c:\users\mozilla\debug-bui lds\mozilla-central\js\src\jit\baselinejit.cpp, line 116) js::jit::EnterBaselineAtBranch+0x0000024C [mozjs +0x00000000002B67DC] (c:\users\ mozilla\debug-builds\mozilla-central\js\src\jit\baselinejit.cpp, line 201) Interpret+0x00000F00 [mozjs +0x000000000068C640] (c:\users\mozilla\debug-builds\ mozilla-central\js\src\vm\interpreter.cpp, line 1702) js::RunScript+0x0000021F [mozjs +0x00000000006A10AF] (c:\users\mozilla\debug-bui lds\mozilla-central\js\src\vm\interpreter.cpp, line 434) js::Invoke+0x00000439 [mozjs +0x000000000069C949] (c:\users\mozilla\debug-builds \mozilla-central\js\src\vm\interpreter.cpp, line 503) js::Invoke+0x00000264 [mozjs +0x000000000069C494] (c:\users\mozilla\debug-builds \mozilla-central\js\src\vm\interpreter.cpp, line 540) JS::Call+0x00000084 [mozjs +0x00000000004DB034] (c:\users\mozilla\debug-builds\m ozilla-central\js\src\jsapi.cpp, line 5025) mozilla::dom::Function::Call+0x00000274 [xul +0x000000000142E7B4] (c:\users\mozi lla\debug-builds\mozilla-central\firefox-debug\dom\bindings\functionbinding.cpp, line 36) mozilla::dom::Function::Call<nsCOMPtr<nsISupports> >+0x00000174 [xul +0x00000000 010ADC84] (c:\users\mozilla\debug-builds\mozilla-central\firefox-debug\dist\incl ude\mozilla\dom\functionbinding.h, line 58) nsGlobalWindow::RunTimeoutHandler+0x00000393 [xul +0x00000000010E0D73] (c:\users \mozilla\debug-builds\mozilla-central\dom\base\nsglobalwindow.cpp, line 12242) nsGlobalWindow::RunTimeout+0x00000401 [xul +0x00000000010E0841] (c:\users\mozill a\debug-builds\mozilla-central\dom\base\nsglobalwindow.cpp, line 12465) nsGlobalWindow::TimerCallback+0x00000032 [xul +0x00000000010EA182] (c:\users\moz illa\debug-builds\mozilla-central\dom\base\nsglobalwindow.cpp, line 12712) nsTimerImpl::Fire+0x000003CA [xul +0x00000000000FB2BA] (c:\users\mozilla\debug-b uilds\mozilla-central\xpcom\threads\nstimerimpl.cpp, line 618) nsTimerEvent::Run+0x0000008E [xul +0x000000000010330E] (c:\users\mozilla\debug-b uilds\mozilla-central\xpcom\threads\nstimerimpl.cpp, line 716) nsThread::ProcessNextEvent+0x00000592 [xul +0x00000000000FFBB2] (c:\users\mozill a\debug-builds\mozilla-central\xpcom\threads\nsthread.cpp, line 830) NS_ProcessNextEvent+0x00000062 [xul +0x00000000001483F2] (c:\users\mozilla\debug -builds\mozilla-central\xpcom\glue\nsthreadutils.cpp, line 265) mozilla::ipc::MessagePump::Run+0x0000016D [xul +0x000000000055003D] (c:\users\mo zilla\debug-builds\mozilla-central\ipc\glue\messagepump.cpp, line 99) MessageLoop::RunInternal+0x0000004D [xul +0x00000000004F286D] (c:\users\mozilla\ debug-builds\mozilla-central\ipc\chromium\src\base\message_loop.cc, line 231) MessageLoop::RunHandler+0x00000082 [xul +0x00000000004F2802] (c:\users\mozilla\d ebug-builds\mozilla-central\ipc\chromium\src\base\message_loop.cc, line 224) MessageLoop::Run+0x0000001D [xul +0x00000000004F24BD] (c:\users\mozilla\debug-bu ilds\mozilla-central\ipc\chromium\src\base\message_loop.cc, line 198) nsBaseAppShell::Run+0x00000050 [xul +0x0000000001F8E6E0] (c:\users\mozilla\debug -builds\mozilla-central\widget\xpwidgets\nsbaseappshell.cpp, line 166) nsAppShell::Run+0x00000017 [xul +0x0000000001FEEE77] (c:\users\mozilla\debug-bui lds\mozilla-central\widget\windows\nsappshell.cpp, line 178) nsAppStartup::Run+0x0000006A [xul +0x0000000002F4F4FA] (c:\users\mozilla\debug-b uilds\mozilla-central\toolkit\components\startup\nsappstartup.cpp, line 280) XREMain::XRE_mainRun+0x000012A7 [xul +0x0000000002FC5027] (c:\users\mozilla\debu g-builds\mozilla-central\toolkit\xre\nsapprunner.cpp, line 4164) XREMain::XRE_main+0x000002BE [xul +0x0000000002FC293E] (c:\users\mozilla\debug-b uilds\mozilla-central\toolkit\xre\nsapprunner.cpp, line 4235) XRE_main+0x00000035 [xul +0x0000000002FC6A05] (c:\users\mozilla\debug-builds\moz illa-central\toolkit\xre\nsapprunner.cpp, line 4449) do_main+0x000005D1 [firefox +0x0000000000002D01] (c:\users\mozilla\debug-builds\ mozilla-central\browser\app\nsbrowserapp.cpp, line 282) NS_internal_main+0x0000015D [firefox +0x000000000000227D] (c:\users\mozilla\debu g-builds\mozilla-central\browser\app\nsbrowserapp.cpp, line 643) wmain+0x0000012E [firefox +0x00000000000032DE] (c:\users\mozilla\debug-builds\mo zilla-central\toolkit\xre\nswindowswmain.cpp, line 113) __tmainCRTStartup+0x000000F2 [firefox +0x000000000000695A] (f:\dd\vctools\crt_bl d\self_x86\crt\src\crt0.c, line 240) BaseThreadInitThunk+0x00000012 [kernel32 +0x000000000004ED6C] RtlInitializeExceptionChain+0x000000EF [ntdll +0x000000000006377B] RtlInitializeExceptionChain+0x000000C2 [ntdll +0x000000000006374E]
I think this is a regression from bug 787070. I can fix it.
Assignee: nobody → bobbyholley
Blocks: 787070
This isn't security-sensitive.
Group: core-security
Simple fix, but interesting test case and worth having on CI.
Attachment #8497642 - Flags: review?(peterv)
Wouldn't it make sense to make ForceCOWBehaviour return false for XrayForDOMObject?
Flags: needinfo?(bobbyholley)
(In reply to Peter Van der Beken [:peterv] from comment #5) > Wouldn't it make sense to make ForceCOWBehaviour return false for > XrayForDOMObject? Yes, that's a good point.
Flags: needinfo?(bobbyholley)
Simple fix, but interesting test case and worth having on CI.
Attachment #8497642 - Attachment is obsolete: true
Attachment #8497642 - Flags: review?(peterv)
Attachment #8498256 - Flags: review?(peterv)
Attachment #8498256 - Flags: review?(peterv) → review+
https://hg.mozilla.org/mozilla-central/rev/4bff4b0ed99c
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: