Closed Bug 417852 Opened 15 years ago Closed 15 years ago

"ASSERTION: Uh, cx is not the current JS context!" with __proto__


(Core :: Security: CAPS, defect, P3)






(Reporter: jruderman, Assigned: jst)



(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?])


(2 files)

Attached file testcase
Loading the testcase triggers:

###!!! ASSERTION: Uh, cx is not the current JS context!: 'cx == GetCurrentJSContext()', file /Users/jruderman/trunk/mozilla/caps/src/nsScriptSecurityManager.cpp, line 487

This assertion is part of nsScriptSecurityManager::GetCxSubjectPrincipal, which was added in bug 410851.

Does this have security implications?
> Loading the testcase triggers

Sorry, I lied.  You have to close or reload the testcase to see the assertion.
Assignee: dveditz → jst
jst says this is likely due to someone forgetting to push the current context. We've had various problems with this in the past, and depending on who and where the bug is web content might be able to get chrome privs this way.
Assignee: jst → dveditz
Flags: wanted1.8.1.x-
Flags: blocking1.9?
Whiteboard: [sg:critical?]
The relevant part of the stack:

#2  0xb7436ccc in nsScriptSecurityManager::GetCxSubjectPrincipal (this=0x8145638, 
    cx=0xb206c000) at ../../../mozilla/caps/src/nsScriptSecurityManager.cpp:486
#3  0xb75479d0 in IsWrapperSameOrigin (cx=0xb206c000, wrappedObj=0xb1fbad20)
    at ../../../../../mozilla/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:269
#4  0xb7535395 in XPCWrapper::Unwrap (cx=0xb206c000, wrapper=0xb1ec0d00)
    at ../../../../../mozilla/js/src/xpconnect/src/XPCWrapper.h:210
#5  0xb752f4e3 in XPCWrappedNative::GetWrappedNativeOfJSObject (cx=0xb206c000, 
    obj=0xb1ec1c80, funobj=0x0, pobj2=0x0, pTearOff=0x0)
    at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednative.cpp:1360
#6  0xb753c86f in XPC_WN_JSOp_Clear (cx=0xb206c000, obj=0xb1ec1c80)
    at ../../../../../mozilla/js/src/xpconnect/src/xpcwrappednativejsops.cpp:1262
#7  0xb7f0383c in JS_ClearScope (cx=0xb206c000, obj=0xb1ec1c80)
    at ../../../mozilla/js/src/jsapi.c:3795
#8  0xb58ff583 in nsJSContext::ClearScope (this=0xb206d320, aGlobalObj=0xb1ec1600, 
    aClearFromProtoChain=1) at ../../../../mozilla/dom/src/base/nsJSEnvironment.cpp:3157
#9  0xb590bdd3 in nsGlobalWindow::FreeInnerObjects (this=0x8ae0e00, aClearScope=1)
    at ../../../../mozilla/dom/src/base/nsGlobalWindow.cpp:894
#10 0xb590f894 in nsGlobalWindow::SetNewDocument (this=0xb206c8d0, aDocument=0x8913e70, 
    aState=0x0, aClearScopeHint=1, aIsInternalCall=0)

There is no cx on the stack, so we get an assert.

I suppose FreeInnerObjects could push a cx.  Or nsJSContext::ClearScope, or XPC_WN_JSOp_Clear.

I don't think there's a security issue here, though...
Attached patch Fix.Splinter Review
This ensures we push when clearing scopes...
Attachment #304672 - Flags: superreview?(bzbarsky)
Attachment #304672 - Flags: review?(dveditz)
Comment on attachment 304672 [details] [diff] [review]

>+++ b/dom/src/base/nsJSEnvironment.cpp
>+  if (!stack || NS_FAILED(stack->Push(mContext))) {

Make that |stack && NS_FAILED(...)| and sr=bzbarsky
Attachment #304672 - Flags: superreview?(bzbarsky) → superreview+
Comment on attachment 304672 [details] [diff] [review]

r=dveditz w/bz's change
Attachment #304672 - Flags: review?(dveditz) → review+
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3
jst's patch, back to him.
Assignee: dveditz → jst
I checked this in yesterday, forgot to update the bug.
Closed: 15 years ago
Resolution: --- → FIXED
Group: core-security
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.