Closed
Bug 1252511
Opened 9 years ago
Closed 8 years ago
"Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER" with DOM MessageChannel
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla50
People
(Reporter: jruderman, Assigned: sfink)
References
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [adv-main50+] btpp-followup-2016-03-04)
Attachments
(3 files)
Assertion failure: uint32_t(LittleEndian::readUint64(point) >> 32) < SCTAG_TRANSFER_MAP_HEADER, at js/src/vm/StructuredClone.cpp:1352
Reporter | ||
Comment 1•9 years ago
|
||
Comment 2•9 years ago
|
||
Steve, this doesn't seem a bug in MessagePort/MessageChannel. Can you take a look?
Updated•9 years ago
|
Whiteboard: btpp-followup-2016-03-04
Comment 4•9 years ago
|
||
I'm moving this over to Javascript Engine because baku thinks it isn't in DOM message stuff.
Component: DOM → JavaScript Engine
Updated•9 years ago
|
Group: dom-core-security → javascript-core-security
Comment 5•8 years ago
|
||
Any updates?
Assignee | ||
Comment 6•8 years ago
|
||
Sorry for the long delay. Turned out to be pretty trivial, just a faulty assertion. It was sort of doing an indirect check of the number of transferables between the beginning and end of the cloning process, but it was assuming that all valid type tags were less than the transferable tags, which is not the case -- it is correct for all builtin types, but not for callback-provided user types.
Group: javascript-core-security
Flags: needinfo?(sphink)
Assignee | ||
Comment 7•8 years ago
|
||
This previously asserted that the entry after the transfer map, if nonempty, contained a tag less than SCTAG_TRANSFER_MAP_HEADER, as that is where all of the standard tags live. However, user-defined tags start *above* the transfer map entries, so if the first object serialized was a user-defined object (eg a Blob), the assertion would fail.
Attachment #8773985 -
Flags: review?(terrence)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → sphink
Status: NEW → ASSIGNED
Updated•8 years ago
|
Attachment #8773985 -
Flags: review?(terrence) → review+
Pushed by sfink@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/3ed34ab50aca
Fix faulty assertion involving user-defined structured clone tags, r=terrence
Comment 9•8 years ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
status-firefox50:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla50
Updated•8 years ago
|
Whiteboard: btpp-followup-2016-03-04 → [adv-main50+] btpp-followup-2016-03-04
You need to log in
before you can comment on or make changes to this bug.
Description
•