Closed Bug 1480224 Opened 6 years ago Closed 6 years ago

Assertion failure: xpc::IsInContentXBLScope(obj) || !xpc::UseContentXBLScope(JS::GetObjectRealmOrNull(obj)), at src/dom/base/nsINode.cpp:2673

Categories

(Core :: SVG, defect, P3)

Product:
Core
Component:
SVG
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla63
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox61 --- unaffected
firefox62 --- unaffected
firefox63 --- fixed

People

(Reporter: tsmith, Assigned: emilio)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(2 files, 1 obsolete file)

testcase.html
90 bytes, text/html
Details
It's not needed to explicitly exclude <use> trees from XBL scopes anymore.
3.01 KB, patch
smaug
: review+
Details | Diff | Splinter Review
Attached file testcase.html 
Assertion failure: xpc::IsInContentXBLScope(obj) || !xpc::UseContentXBLScope(JS::GetObjectRealmOrNull(obj)), at src/dom/base/nsINode.cpp:2673

#0 nsINode::WrapObject(JSContext*, JS::Handle<JSObject*>) src/dom/base/nsINode.cpp:2665:39
#1 mozilla::dom::Element::WrapObject(JSContext*, JS::Handle<JSObject*>) src/dom/base/Element.cpp:555:43
#2 XPCConvert::NativeInterface2JSObject(JS::MutableHandle<JS::Value>, xpcObjectHelper&, nsID const*, bool, nsresult*) src/js/xpconnect/src/XPCConvert.cpp:955:23
#3 NativeInterface2JSObject(JS::Handle<JSObject*>, nsISupports*, nsWrapperCache*, nsID const*, bool, JS::MutableHandle<JS::Value>) src/js/xpconnect/src/nsXPConnect.cpp:611:10
#4 nsXPConnect::WrapNativeToJSVal(JSContext*, JSObject*, nsISupports*, nsWrapperCache*, nsID const*, bool, JS::MutableHandle<JS::Value>) src/js/xpconnect/src/nsXPConnect.cpp:659:12
#5 nsContentUtils::WrapNative(JSContext*, nsISupports*, nsWrapperCache*, nsID const*, JS::MutableHandle<JS::Value>, bool) src/dom/base/nsContentUtils.cpp:6512:29
#6 nsXBLProtoImpl::InitTargetObjects(nsXBLPrototypeBinding*, nsIContent*, JS::MutableHandle<JSObject*>, bool*) src/dom/xbl/nsXBLProtoImpl.cpp:213:8
#7 nsXBLProtoImpl::InstallImplementation(nsXBLPrototypeBinding*, nsXBLBinding*) src/dom/xbl/nsXBLProtoImpl.cpp:63:17
#8 nsXBLBinding::InstallImplementation() src/dom/xbl/nsXBLBinding.cpp:597:31
#9 nsXBLBinding::InstallImplementation() src/dom/xbl/nsXBLBinding.cpp:591:33
#10 nsXBLService::LoadBindings(mozilla::dom::Element*, nsIURI*, nsIPrincipal*, nsXBLBinding**, bool*) src/dom/xbl/nsXBLService.cpp:561:22
#11 nsCSSFrameConstructor::AddFrameConstructionItemsInternal(nsFrameConstructorState&, nsIContent*, nsContainerFrame*, bool, mozilla::ComputedStyle*, unsigned int, nsCSSFrameConstructor::FrameConstructionItemList&) src/layout/base/nsCSSFrameConstructor.cpp:5530:33
#12 nsCSSFrameConstructor::AddFCItemsForAnonymousContent(nsFrameConstructorState&, nsContainerFrame*, nsTArray<nsIAnonymousContentCreator::ContentInfo> const&, nsCSSFrameConstructor::FrameConstructionItemList&, unsigned int) src/layout/base/nsCSSFrameConstructor.cpp:9978:5
#13 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10059:3
#14 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3995:9
#15 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5922:3
#16 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9935:5
#17 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10108:3
#18 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3995:9
#19 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5922:3
#20 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9935:5
#21 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10108:3
#22 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3995:9
#23 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5922:3
#24 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9935:5
#25 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10108:3
#26 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3995:9
#27 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5922:3
#28 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9935:5
#29 nsCSSFrameConstructor::ProcessChildren(nsFrameConstructorState&, nsIContent*, mozilla::ComputedStyle*, nsContainerFrame*, bool, nsFrameItems&, bool, PendingBinding*, nsIFrame*) src/layout/base/nsCSSFrameConstructor.cpp:10108:3
#30 nsCSSFrameConstructor::ConstructFrameWithAnonymousChild(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsFrameItems&, nsContainerFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*), nsContainerFrame* (*)(nsIPresShell*, mozilla::ComputedStyle*), nsICSSAnonBoxPseudo*, bool) src/layout/base/nsCSSFrameConstructor.cpp:5054:5
#31 nsCSSFrameConstructor::ConstructOuterSVG(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItem&, nsContainerFrame*, nsStyleDisplay const*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5071:10
#32 nsCSSFrameConstructor::ConstructFrameFromItemInternal(nsCSSFrameConstructor::FrameConstructionItem&, nsFrameConstructorState&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:3838:7
#33 nsCSSFrameConstructor::ConstructFramesFromItem(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList::Iterator&, nsContainerFrame*, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:5922:3
#34 nsCSSFrameConstructor::ConstructFramesFromItemList(nsFrameConstructorState&, nsCSSFrameConstructor::FrameConstructionItemList&, nsContainerFrame*, bool, nsFrameItems&) src/layout/base/nsCSSFrameConstructor.cpp:9935:5
#35 nsCSSFrameConstructor::ContentAppended(nsIContent*, nsCSSFrameConstructor::InsertionKind) src/layout/base/nsCSSFrameConstructor.cpp:7123:3
#36 mozilla::RestyleManager::ProcessRestyledFrames(nsStyleChangeList&) src/layout/base/RestyleManager.cpp:1442:27
#37 mozilla::RestyleManager::DoProcessPendingRestyles(mozilla::ServoTraversalFlags) src/layout/base/RestyleManager.cpp:3057:9
#38 mozilla::PresShell::DoFlushPendingNotifications(mozilla::ChangesToFlush) src/layout/base/PresShell.cpp:4292:41
#39 mozilla::PresShell::DoFlushPendingNotifications(mozilla::FlushType) src/layout/base/PresShell.cpp:4133:3
#40 mozilla::EventStateManager::PreHandleEvent(nsPresContext*, mozilla::WidgetEvent*, nsIFrame*, nsIContent*, nsEventStatus*, nsIContent*) src/dom/events/EventStateManager.cpp:690:5
#41 mozilla::PresShell::HandleEventInternal(mozilla::WidgetEvent*, nsEventStatus*, bool, nsIContent*) src/layout/base/PresShell.cpp:7642:19
#42 mozilla::PresShell::HandleEvent(nsIFrame*, mozilla::WidgetGUIEvent*, bool, nsEventStatus*) src/layout/base/PresShell.cpp:7287:17
#43 nsViewManager::DispatchEvent(mozilla::WidgetGUIEvent*, nsView*, nsEventStatus*) src/view/nsViewManager.cpp:812:14
#44 nsView::HandleEvent(mozilla::WidgetGUIEvent*, bool) src/view/nsView.cpp:1141:9
#45 mozilla::widget::PuppetWidget::DispatchEvent(mozilla::WidgetGUIEvent*, nsEventStatus&) src/widget/PuppetWidget.cpp:413:35
#46 mozilla::layers::APZCCallbackHelper::DispatchWidgetEvent(mozilla::WidgetGUIEvent&) src/gfx/layers/apz/util/APZCCallbackHelper.cpp:537:21
#47 mozilla::dom::TabChild::HandleRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1736:3
#48 mozilla::dom::TabChild::RecvRealMouseButtonEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1708:3
#49 mozilla::dom::TabChild::RecvSynthMouseMoveEvent(mozilla::WidgetMouseEvent const&, mozilla::layers::ScrollableLayerGuid const&, unsigned long const&) src/dom/ipc/TabChild.cpp:1669:8
#50 mozilla::dom::PBrowserChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PBrowserChild.cpp:3431:20
#51 mozilla::dom::PContentChild::OnMessageReceived(IPC::Message const&) src/obj-firefox/ipc/ipdl/PContentChild.cpp:5606:28
#52 mozilla::dom::ContentChild::OnMessageReceived(IPC::Message const&) src/dom/ipc/ContentChild.cpp:3894:25
#53 mozilla::ipc::MessageChannel::DispatchAsyncMessage(IPC::Message const&) src/ipc/glue/MessageChannel.cpp:2238:25
#54 mozilla::ipc::MessageChannel::DispatchMessage(IPC::Message&&) src/ipc/glue/MessageChannel.cpp:2168:17
#55 mozilla::ipc::MessageChannel::RunMessage(mozilla::ipc::MessageChannel::MessageTask&) src/ipc/glue/MessageChannel.cpp:2014:5
#56 mozilla::ipc::MessageChannel::MessageTask::Run() src/ipc/glue/MessageChannel.cpp:2047:15
#57 mozilla::SchedulerGroup::Runnable::Run() src/xpcom/threads/SchedulerGroup.cpp:337:32
#58 nsThread::ProcessNextEvent(bool, bool*) src/xpcom/threads/nsThread.cpp:1235:14
#59 NS_ProcessNextEvent(nsIThread*, bool) src/xpcom/threads/nsThreadUtils.cpp:519:10
#60 mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:97:21
#61 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10
#62 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3
#63 nsBaseAppShell::Run() src/widget/nsBaseAppShell.cpp:158:27
#64 XRE_RunAppShell() src/toolkit/xre/nsEmbedFunctions.cpp:942:22
#65 mozilla::ipc::MessagePumpForChildProcess::Run(base::MessagePump::Delegate*) src/ipc/glue/MessagePump.cpp:269:9
#66 MessageLoop::RunInternal() src/ipc/chromium/src/base/message_loop.cc:325:10
#67 MessageLoop::Run() src/ipc/chromium/src/base/message_loop.cc:298:3
#68 XRE_InitChildProcess(int, char**, XREChildData const*) src/toolkit/xre/nsEmbedFunctions.cpp:768:34
#69 content_process_main(mozilla::Bootstrap*, int, char**) src/browser/app/../../ipc/contentproc/plugin-container.cpp:50:30
#70 main src/browser/app/nsBrowserApp.cpp:287:18
#71 __libc_start_main /build/glibc-Cl5G7W/glibc-2.23/csu/../csu/libc-start.c:291
#72 _start (firefox+0x423d04)
Flags: in-testsuite?
Hey Sean -- Can you find someone to look at this?
Flags: needinfo?(svoisen)
Priority: -- → P2
heycam or jwatt - This SVG assertion failure looks to be XBL-related. Should we bother here?
Flags: needinfo?(jwatt)
Flags: needinfo?(cam)
Flags: needinfo?(svoisen)
(In reply to Sean Voisen (:svoisen) from comment #2)
> heycam or jwatt - This SVG assertion failure looks to be XBL-related. Should
> we bother here?

Probably not. foreignObject is infrequently used, especially so to contain form controls.

Smaug, you added this assertion? How serious is this failure? Could a sec issue result?
Flags: needinfo?(jwatt) → needinfo?(bugs)
Priority: P2 → P3
I didn't add that assertion, but looks rather bad to me.

Where is the XBL coming from?
Group: layout-core-security
Flags: needinfo?(bugs)
It may be triggered by my recent <svg:use> changes (though somewhat unlikely), so will look at this.
Flags: needinfo?(emilio)
Confirmed via mozregression that bug 1450250 did actually make this assert. Now go figure why :(. Looking...
Blocks: 1450250
Ah, the XBL there is for the <xul:label> in the file input controls.
Assignee: nobody → emilio
Flags: needinfo?(emilio)
Patch is https://phabricator.services.mozilla.com/D3409, though looks like phabricator hasn't synced the patch here yet.
Now that the content is not anonymous we don't need to exclude them explicitly.
    
This happens because anonymous content inside the shadow tree does report to be
 inside the shadow tree, which is true but at the same time slightly footgunny.
    
In any case the other uses of the use shadow tree stuff are base-uri related,
and changing anon content's base uri in that case sounds like the right thing,
even though anon content shouldn't rely on those anyway.
Flags: needinfo?(cam)
Attachment #9000898 - Flags: review?(bugs)
Attachment #9000898 - Flags: review?(bugs) → review+
Now that the content is not anonymous we don't need to exclude them explicitly.

This happens because anonymous content inside the shadow tree does report to be
inside the shadow tree, which is true but at the same time slightly footgunny.

In any case the other uses of the use shadow tree stuff are base-uri related,
and changing anon content's base uri in that case sounds like the right thing,
even though anon content shouldn't rely on those anyway.
Attachment #9001239 - Attachment is obsolete: true
https://hg.mozilla.org/mozilla-central/rev/22c19ba1a395
Group: layout-core-security → core-security-release
Status: NEW → RESOLVED
Closed: 6 years ago
status-firefox63: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla63
status-firefox61: --- → unaffected
status-firefox62: --- → unaffected
status-firefox-esr52: --- → unaffected
status-firefox-esr60: --- → unaffected
Flags: in-testsuite? → in-testsuite+
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: