"Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER" with DOM MessageChannel

RESOLVED FIXED in Firefox 50

Status

()

--
critical
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: jruderman, Assigned: sfink)

Tracking

(Blocks: 1 bug, {assertion, sec-high, testcase})

Trunk
mozilla50
assertion, sec-high, testcase
Points:
---

Firefox Tracking Flags

(firefox47 affected, firefox50 fixed)

Details

(Whiteboard: [adv-main50+] btpp-followup-2016-03-04)

Attachments

(3 attachments)

(Reporter)

Description

3 years ago
Created attachment 8725310 [details]
testcase

Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER, at js/src/vm/StructuredClone.cpp:1352
(Reporter)

Comment 1

3 years ago
Created attachment 8725312 [details]
stack
Steve, this doesn't seem a bug in MessagePort/MessageChannel. Can you take a look?
ni? sfink per comment 2.
Flags: needinfo?(sphink)
Whiteboard: btpp-followup-2016-03-04
I'm moving this over to Javascript Engine because baku thinks it isn't in DOM message stuff.
Component: DOM → JavaScript Engine
Keywords: sec-high
Group: dom-core-security → javascript-core-security
Any updates?
(Assignee)

Comment 6

2 years ago
Sorry for the long delay. Turned out to be pretty trivial, just a faulty assertion. It was sort of doing an indirect check of the number of transferables between the beginning and end of the cloning process, but it was assuming that all valid type tags were less than the transferable tags, which is not the case -- it is correct for all builtin types, but not for callback-provided user types.
Group: javascript-core-security
Flags: needinfo?(sphink)
(Assignee)

Comment 7

2 years ago
Created attachment 8773985 [details] [diff] [review]
Fix faulty assertion involving user-defined structured clone tags

This previously asserted that the entry after the transfer map, if nonempty, contained a tag less than SCTAG_TRANSFER_MAP_HEADER, as that is where all of the standard tags live. However, user-defined tags start *above* the transfer map entries, so if the first object serialized was a user-defined object (eg a Blob), the assertion would fail.
Attachment #8773985 - Flags: review?(terrence)
(Assignee)

Updated

2 years ago
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Attachment #8773985 - Flags: review?(terrence) → review+

Comment 8

2 years ago
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ed34ab50aca
Fix faulty assertion involving user-defined structured clone tags, r=terrence

Comment 9

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/3ed34ab50aca
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
status-firefox50: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Whiteboard: btpp-followup-2016-03-04 → [adv-main50+] btpp-followup-2016-03-04
You need to log in before you can comment on or make changes to this bug.