Closed Bug 1252511 Opened 4 years ago Closed 4 years ago

"Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER" with DOM MessageChannel

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla50
Tracking Status
firefox47 --- affected
firefox50 --- fixed

People

(Reporter: jruderman, Assigned: sfink)

References

Details

(Keywords: assertion, sec-high, testcase, Whiteboard: [adv-main50+] btpp-followup-2016-03-04)

Attachments

(3 files)

Attached file testcase
Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER, at js/src/vm/StructuredClone.cpp:1352
Attached file stack
Steve, this doesn't seem a bug in MessagePort/MessageChannel. Can you take a look?
ni? sfink per comment 2.
Flags: needinfo?(sphink)
Whiteboard: btpp-followup-2016-03-04
I'm moving this over to Javascript Engine because baku thinks it isn't in DOM message stuff.
Component: DOM → JavaScript Engine
Group: dom-core-security → javascript-core-security
Any updates?
Sorry for the long delay. Turned out to be pretty trivial, just a faulty assertion. It was sort of doing an indirect check of the number of transferables between the beginning and end of the cloning process, but it was assuming that all valid type tags were less than the transferable tags, which is not the case -- it is correct for all builtin types, but not for callback-provided user types.
Group: javascript-core-security
Flags: needinfo?(sphink)
This previously asserted that the entry after the transfer map, if nonempty, contained a tag less than SCTAG_TRANSFER_MAP_HEADER, as that is where all of the standard tags live. However, user-defined tags start *above* the transfer map entries, so if the first object serialized was a user-defined object (eg a Blob), the assertion would fail.
Attachment #8773985 - Flags: review?(terrence)
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Attachment #8773985 - Flags: review?(terrence) → review+
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ed34ab50aca
Fix faulty assertion involving user-defined structured clone tags, r=terrence
https://hg.mozilla.org/mozilla-central/rev/3ed34ab50aca
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Whiteboard: btpp-followup-2016-03-04 → [adv-main50+] btpp-followup-2016-03-04
You need to log in before you can comment on or make changes to this bug.