Closed Bug 1471095 Opened Last year Closed Last year

Assertion failure: JS::CellIsNotGray(target), at /builds/worker/workspace/build/src/js/src/vm/JSContext-inl.h:484

Categories

(Core :: XBL, defect)

59 Branch
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla63
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 62+ fixed
firefox61 --- unaffected
firefox62 + fixed
firefox63 + fixed

People

(Reporter: jkratzer, Assigned: bzbarsky)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [post-critsmash-triage][adv-esr60.2-])

Attachments

(4 files, 3 obsolete files)

Attached file trigger.html (obsolete) —
Testcase found while fuzzing mozilla-central rev 4f6e597104da.  Testcase bisects back further than a year which is longer than taskcluster stores builds.

Testcase takes 60-90 seconds to trigger and triggers more reliably when served via a local webserver.

Marking as SS just in case.

rax = 0x0000000000000000   rdx = 0x0000000000000000
rcx = 0x00007fb8b57142dd   rbx = 0x00007fb89bf23000
rsi = 0x00007fb8b59e3770   rdi = 0x00007fb8b59e2540
rbp = 0x00007ffcfd386270   rsp = 0x00007ffcfd386260
r8 = 0x00007fb8b59e3770    r9 = 0x00007fb8b6ab1740
r10 = 0x0000000000000000   r11 = 0x0000000000000000
r12 = 0x00007fb891e6f060   r13 = 0x00007ffcfd386298
r14 = 0x00007ffcfd3862b0   r15 = 0x00007ffcfd386358
rip = 0x00007fb8a67004d8
OS|Linux|0.0.0 Linux 4.4.0-128-generic #154-Ubuntu SMP Fri May 25 14:15:18 UTC 2018 x86_64
CPU|amd64|family 6 model 78 stepping 3|1
GPU|||
Crash|SIGSEGV|0x0|0
0|0|libxul.so|JSContext::enterRealmOf(JSObject*)|hg:hg.mozilla.org/mozilla-central:js/src/vm/JSContext-inl.h:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|484|0x18
0|1|libxul.so|xpc::GetXBLScope(JSContext*, JSObject*)|hg:hg.mozilla.org/mozilla-central:js/xpconnect/src/XPCWrappedNativeScope.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|294|0x5
0|2|libxul.so|nsINode::doInsertChildAt(nsIContent*, unsigned int, bool, nsAttrAndChildArray&)|hg:hg.mozilla.org/mozilla-central:dom/base/nsINode.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|1325|0x5
0|3|libxul.so|nsCSSFrameConstructor::CreateGeneratedContentItem(nsFrameConstructorState&, nsContainerFrame*, mozilla::dom::Element*, mozilla::ComputedStyle*, mozilla::CSSPseudoElementType, nsCSSFrameConstructor::FrameConstructionItemList&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|1919|0x16
0|4|libxul.so|nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|10270|0x25
0|5|libxul.so|nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|11246|0x5
0|6|libxul.so|nsCSSFrameConstructor::ConstructNonScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*))|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|4932|0x30
0|7|libxul.so|nsCSSFrameConstructor::ConstructNonScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|4893|0xa
0|8|libxul.so|nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|3853|0x24
0|9|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|6047|0x16
0|10|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|10124|0x15
0|11|libxul.so|nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|10319|0x23
0|12|libxul.so|nsCSSFrameConstructor::ConstructBlock(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, nsContainerFrame*, mozilla::ComputedStyle*, nsContainerFrame**, nsFrameItems&, nsIFrame*, PendingBinding*)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|11246|0x5
0|13|libxul.so|nsCSSFrameConstructor::ConstructScrollableBlockWithConstructor(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&, nsBlockFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*))|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|4875|0x10
0|14|libxul.so|nsCSSFrameConstructor::ConstructScrollableBlock(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|4841|0xa
0|15|libxul.so|nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|3853|0x24
0|16|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|6047|0x16
0|17|libxul.so|nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|10124|0x15
0|18|libxul.so|nsCSSFrameConstructor::ContentRangeInserted(nsIContent*, nsIContent*, nsILayoutHistoryState*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|7739|0x20
0|19|libxul.so|nsCSSFrameConstructor::RecreateFramesForContent(nsIContent*, nsCSSFrameConstructor::InsertionKind)|hg:hg.mozilla.org/mozilla-central:layout/base/nsCSSFrameConstructor.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|9199|0x1b
0|20|libxul.so|mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|1513|0xf
0|21|libxul.so|mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags)|hg:hg.mozilla.org/mozilla-central:layout/base/RestyleManager.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|2997|0xb
0|22|libxul.so|mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush)|hg:hg.mozilla.org/mozilla-central:layout/base/PresShell.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|4285|0x19
0|23|libxul.so|nsRefreshDriver::Tick(long, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|1897|0x5
0|24|libxul.so|mozilla::RefreshDriverTimer::TickRefreshDrivers(long, mozilla::TimeStamp, nsTArray<RefPtr<nsRefreshDriver> >&)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|301|0xb
0|25|libxul.so|mozilla::RefreshDriverTimer::Tick(long, mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|320|0xf
0|26|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::TickRefreshDriver(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|760|0x5
0|27|libxul.so|mozilla::VsyncRefreshDriverTimer::RefreshDriverVsyncObserver::NotifyVsync(mozilla::TimeStamp)|hg:hg.mozilla.org/mozilla-central:layout/base/nsRefreshDriver.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|574|0xc
0|28|libxul.so|mozilla::layout::VsyncChild::RecvNotify(mozilla::TimeStamp const&)|hg:hg.mozilla.org/mozilla-central:layout/ipc/VsyncChild.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|68|0x9
0|29|libxul.so|mozilla::layout::PVsyncChild::OnMessageReceived(IPC::Message const&)|s3:gecko-generated-sources:0c7cf777c2ff93c34ff1546f677320cb1229427e6947e87c6fa76720f9b9c5b6a4a4d036521ed9a643f4fa5e10a57d8748e2532d47fce8282aa653340c0c00ff/ipc/ipdl/PVsyncChild.cpp:|167|0xc
0|30|libxul.so|mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|2134|0x6
0|31|libxul.so|mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|2064|0xb
0|32|libxul.so|mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|1910|0xb
0|33|libxul.so|mozilla::ipc::MessageChannel::MessageTask::Run()|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessageChannel.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|1943|0xc
0|34|libxul.so|nsThread::ProcessNextEvent(bool, bool*)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThread.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|1051|0x15
0|35|libxul.so|NS_ProcessNextEvent(nsIThread*, bool)|hg:hg.mozilla.org/mozilla-central:xpcom/threads/nsThreadUtils.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|519|0x11
0|36|libxul.so|mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|97|0xa
0|37|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|325|0x17
0|38|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|318|0x8
0|39|libxul.so|nsBaseAppShell::Run()|hg:hg.mozilla.org/mozilla-central:widget/nsBaseAppShell.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|158|0xd
0|40|libxul.so|XRE_RunAppShell()|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|896|0x11
0|41|libxul.so|mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*)|hg:hg.mozilla.org/mozilla-central:ipc/glue/MessagePump.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|269|0x5
0|42|libxul.so|MessageLoop::RunInternal()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|325|0x17
0|43|libxul.so|MessageLoop::Run()|hg:hg.mozilla.org/mozilla-central:ipc/chromium/src/base/message_loop.cc:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|318|0x8
0|44|libxul.so|XRE_InitChildProcess(int, char**, XREChildData const*)|hg:hg.mozilla.org/mozilla-central:toolkit/xre/nsEmbedFunctions.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|722|0x8
0|45|firefox|content_process_main(mozilla::Bootstrap*, int, char**)|hg:hg.mozilla.org/mozilla-central:ipc/contentproc/plugin-container.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|50|0x14
0|46|firefox|main|hg:hg.mozilla.org/mozilla-central:browser/app/nsBrowserApp.cpp:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|287|0x11
0|47|libc-2.23.so||||0x20830
0|48|firefox|MOZ_ReportAssertionFailure|hg:hg.mozilla.org/mozilla-central:mfbt/Assertions.h:4f6e597104dabedfecfafa2ab63dc79fd7f8bc7a|164|0x5
Flags: in-testsuite?
Attached file fuzzer.js (obsolete) —
I don't see any WebGL in your testcase or the stack. How'd you end up picking the component?

I'm not sure where to put this. Most of the stack is CSS/Frames (Layout) which makes sense from your testcase. But I'm surprised to see anything in nsCSSFrameConstructor calling nsINode::doInsertChildAt. There is an appendChild early in your testcase (can you remove the lines after that, or are they necessary?) but it shouldn't have that stack. And there's no XBL at all in your testcase, though maybe that's just a thing we check the presence of and the node itself is corrupt.

I'm going to call this "Layout" on the preponderance of the stack, but I'm not sure. What happens in an ASAN build?

the null deref doesn't look like a security bug, but that stack is crazy so let's figure that out before unhiding the bug.
Group: core-security → layout-core-security
Component: Canvas: WebGL → Layout
Flags: needinfo?(jkratzer)
Attached file trigger.html
Attachment #8987708 - Attachment is obsolete: true
Flags: needinfo?(jkratzer)
Attached file fuzzer.js (obsolete) —
Attachment #8987709 - Attachment is obsolete: true
(In reply to Daniel Veditz [:dveditz] from comment #2)
> I don't see any WebGL in your testcase or the stack. How'd you end up
> picking the component?
> 
> I'm not sure where to put this. Most of the stack is CSS/Frames (Layout)
> which makes sense from your testcase. But I'm surprised to see anything in
> nsCSSFrameConstructor calling nsINode::doInsertChildAt. There is an
> appendChild early in your testcase (can you remove the lines after that, or
> are they necessary?) but it shouldn't have that stack. And there's no XBL at
> all in your testcase, though maybe that's just a thing we check the presence
> of and the node itself is corrupt.
> 
> I'm going to call this "Layout" on the preponderance of the stack, but I'm
> not sure. What happens in an ASAN build?
> 
> the null deref doesn't look like a security bug, but that stack is crazy so
> let's figure that out before unhiding the bug.

Looks like I really screwed up submitting this one.  This was supposed to be filed under Layout however my template defaults to WebGL.  Also, the testcase I submitted was for another bug entirely.  I've updated both attachments.
Attached file fuzzer.js
Attachment #8988526 - Attachment is obsolete: true
This feels a little more like a DOM bug, though maybe the actual bug is in nsCSSFrameConstructor::CreateGeneratedContentItem(). It sounds like something isn't getting unmark gray called on it.
Group: layout-core-security → dom-core-security
Component: Layout → XBL
This needs the fuzzing extension installed to reproduce, right?  Where's the current place one can get that?
Flags: needinfo?(jkratzer)
(Ideally the steps to reproduce on fuzzing bugs would just include that information...)
There are no line numbers here, but doInsertChildAt calls ReparentWrappersInSubtree which calls GetXBLScope, so maybe that's how we end up there. It looks like ReparentWrappersInSubtree was recently added in bug 1466991.
Attachment #8988527 - Attachment mime type: application/javascript → text/plain
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #8)
> This needs the fuzzing extension installed to reproduce, right?  Where's the
> current place one can get that?

It looks like you don't actually need the extension. Instead, you'd need a --enable-fuzzing build with the pref fuzzing.enabled set to true, so that FuzzingFunctions is defined.
Ah.  Yeah, definitely needs a steps to reproduce section...
Assignee: nobody → bzbarsky
Attached file prefs.js
Flags: needinfo?(jkratzer)
(In reply to Andrew McCreight [:mccr8] from comment #11)
> (In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from
> comment #8)
> > This needs the fuzzing extension installed to reproduce, right?  Where's the
> > current place one can get that?
> 
> It looks like you don't actually need the extension. Instead, you'd need a
> --enable-fuzzing build with the pref fuzzing.enabled set to true, so that
> FuzzingFunctions is defined.

That's correct.  You can retrieve an ASAN fuzzing build using the fuzzfetch python module:
pip install fuzzfetch
python -m fuzzfetch --fuzzing -a

You can reproduce the testcase using ffpuppet found here:
https://github.com/MozillaSecurity/ffpuppet

With the following commands in the testcase directory:
python -m SimpleHTTPServer &
python -m ffpuppet -p prefs.js ~/build_path/firefox --xvfb -d -l log -u http://localhost:8000/trigger.html
> You can retrieve an ASAN fuzzing build using the fuzzfetch python module

Will that give me full source so I can actually debug?

I tried doing an --enable-fuzzing debug build.  It fails to link, with error messages like this:

0:06.22 ../build/libjs_static.a(BinSource.o):../../../mozilla/js/src/frontend/BinSource.cpp:function sancov.module_ctor: error: undefined reference to '__sanitizer_cov_trace_pc_guard_init'
 0:06.36 ../build/libjs_static.a(BinSource.o):../../../mozilla/js/src/frontend/BinSource.cpp:function sancov.module_ctor: error: undefined reference to '__sanitizer_cov_trace_pc_guard_init'
 0:08.94 ../build/libjs_static.a(StructuredClone.o):../../../mozilla/js/src/vm/StructuredClone.cpp:function sancov.module_ctor: error: undefined reference to '__sanitizer_cov_trace_pc_guard_init'

Next step is to hack things so I just build FuzzingFunctions even if FUZZING is not defined...
> Will that give me full source so I can actually debug?

And more importantly, how do I then test the fix?  ;)
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #16)
> > Will that give me full source so I can actually debug?
> 
> And more importantly, how do I then test the fix?  ;)

No, unfortuantely not.  It's just a wrapper for pulling down taskcluster builds.  Also, I just realized the fuzzfetch args I gave you were incorrect.  To get a debug build you want to pass:
python -m fuzzfetch --fuzzing -d

If getting a fuzzing build is blocking you, you could try the fuzzpriv extension here:
https://github.com/MozillaSecurity/fuzzpriv

Then just replace the call to FuzzingFunctions.garbageCollect() with fuzzPriv.GC().  You can then use ffpuppet and the prefs.js included here to test:

python -m ffpuppet -p prefs.js -e ~/fuzzpriv/ ~/build_path/firefox --xvfb -d -l log -u http://localhost:8000/trigger.html
OK, hacking things so that FuzzingFunctions is unconditionally exposed in a local build makes it pretty easy to reproduce.  The sequence of events here is as follows:

1)  Page is loaded.
2)  New pageload starts, first page becomes zombie.  It's still being shown, but is
    not the current page anymore.
3)  Script in the new page runs, triggers GC.  The old Window is no longer directly
    referenced from JS, so it gets marked gray (the C++ still owns it).
4)  The animation on the zombie page changes overflow, triggering frame construction.
    This creates some generated content for the "optgroup:before { content: attr(label); }"
    bit in forms.css.
5)  The generated content is added to the tree.  The actual ::before element is set
    as a native anonymous root before being added.  But the textnode inside is not
    thus marked, so it takes the new codepath added in bug 1466991.
6)  That codepath always gets the XBL scope.  I think I needed it at some point, then
    figured out I actually don't but forgot to remove that line.
7)  xpc::GetXBLScope does JS::AutoRealm on the passed-in global.  This asserts it's not gray.
8)  nsGlobalWindowInner::GetGlobalJSObject called FastGetGlobalJSObject which does not unmark gray.

Anyway, I think the right fix here is to get rid of the "get the xbl scope" bit, since it's not actually doing anything useful, and to pre-mark the anonymous content in the frame constructor before appending it, so we don't even enter this codepath for that stuff.
I don't think there's a security issue here, btw.  We don't use the object that's being asserted not-gray, so there's no problem in practice in an opt build.
Blocks: 1466991
Keywords: sec-audit
That said, the:

> Testcase bisects back further than a year

part is confusing to me, because the code in question is definitely new as of bug 1466991.  What does a failure look like on a build from before then?
Flags: needinfo?(jkratzer)
Comment on attachment 8988626 [details] [diff] [review]
Don't do extra work we don't need to in ReparentWrappersInSubtree

ops, I should have noticed the extra rootedGlobal thing in the other bug.
Attachment #8988626 - Flags: review?(bugs) → review+
Er, comment 21 is still relevant.
Flags: needinfo?(jkratzer)
Comment on attachment 8988626 [details] [diff] [review]
Don't do extra work we don't need to in ReparentWrappersInSubtree

Approval Request Comment
[Feature/Bug causing the regression]: Bug 1466991
[User impact if declined]: Probably none; this is basically a debug-only
   problem, apart from the small perf hit.
[Is this code covered by automated tests?]:  Sort of.
[Has the fix been verified in Nightly?]: Yes.
[Needs manual test from QE? If yes, steps to reproduce]: No.
[List of other uplifts needed for the feature/fix]: None.
[Is the change risky?]: No.
[Why is the change risky/not risky?]: Just removes some unnecessary code.
[String changes made/needed]: None.
Attachment #8988626 - Flags: approval-mozilla-beta?
https://hg.mozilla.org/mozilla-central/rev/2cb8f2ddbf0e
Group: dom-core-security → core-security-release
Status: NEW → RESOLVED
Closed: Last year
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
Bug 1466991 is going to be landing on ESR60 during this cycle as well, so please nominate it for backport there also.
Comment on attachment 8988626 [details] [diff] [review]
Don't do extra work we don't need to in ReparentWrappersInSubtree

Approved for 62.0b5.
Attachment #8988626 - Flags: approval-mozilla-beta? → approval-mozilla-beta+
(In reply to Boris Zbarsky [:bz] (no decent commit message means r-) from comment #24)
> Er, comment 21 is still relevant.

So it looks like comment 1 was for another bug entirely.  This testcase bisects back to the following range which includes bug 1466991:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=dc997a4e045ec9c83288466a013a029cc475603c&tochange=0b5495dc100dd3bfda0886a4ad563a3c729c9b72

Sorry for all the confusion.
Flags: needinfo?(jkratzer)
> This testcase bisects back to the following range 

Perfect, now the world makes sense.  ;)
Comment on attachment 8988626 [details] [diff] [review]
Don't do extra work we don't need to in ReparentWrappersInSubtree

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration:
  Regression caused by bug 1466991.
User impact if declined: Fuzzing on ES a bit more complicated due to this
  assertion failure.
Fix Landed on Version: 61 and 62.
Risk to taking this patch (and alternatives if risky): Very low risk; just
  removes some code that's basically dead from the fix for bug 1466991.
String or UUID changes made by this patch: None.

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Attachment #8988626 - Flags: approval-mozilla-esr60?
Flags: qe-verify-
Whiteboard: [post-critsmash-triage]
Comment on attachment 8988626 [details] [diff] [review]
Don't do extra work we don't need to in ReparentWrappersInSubtree

Approved for ESR 60.2.
Attachment #8988626 - Flags: approval-mozilla-esr60? → approval-mozilla-esr60+
Whiteboard: [post-critsmash-triage] → [post-critsmash-triage][adv-esr60.2-]
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.