"Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER" with DOM MessageChannel

RESOLVED FIXED in Firefox 50

Status

()

defect
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: jruderman, Assigned: sfink)

Tracking

(Blocks 1 bug, {assertion, sec-high, testcase})

Trunk
mozilla50
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox47 affected, firefox50 fixed)

Details

(Whiteboard: [adv-main50+] btpp-followup-2016-03-04)

Attachments

(3 attachments)

Posted file testcase
Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER, at js/src/vm/StructuredClone.cpp:1352
Posted file stack
Steve, this doesn't seem a bug in MessagePort/MessageChannel. Can you take a look?
ni? sfink per comment 2.
Flags: needinfo?(sphink)
Whiteboard: btpp-followup-2016-03-04
I'm moving this over to Javascript Engine because baku thinks it isn't in DOM message stuff.
Component: DOM → JavaScript Engine
Group: dom-core-security → javascript-core-security
Any updates?
Sorry for the long delay. Turned out to be pretty trivial, just a faulty assertion. It was sort of doing an indirect check of the number of transferables between the beginning and end of the cloning process, but it was assuming that all valid type tags were less than the transferable tags, which is not the case -- it is correct for all builtin types, but not for callback-provided user types.
Group: javascript-core-security
Flags: needinfo?(sphink)
This previously asserted that the entry after the transfer map, if nonempty, contained a tag less than SCTAG_TRANSFER_MAP_HEADER, as that is where all of the standard tags live. However, user-defined tags start *above* the transfer map entries, so if the first object serialized was a user-defined object (eg a Blob), the assertion would fail.
Attachment #8773985 - Flags: review?(terrence)
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Attachment #8773985 - Flags: review?(terrence) → review+
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ed34ab50aca
Fix faulty assertion involving user-defined structured clone tags, r=terrence
https://hg.mozilla.org/mozilla-central/rev/3ed34ab50aca
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Whiteboard: btpp-followup-2016-03-04 → [adv-main50+] btpp-followup-2016-03-04
You need to log in before you can comment on or make changes to this bug.