Closed Bug 557728 Opened 15 years ago Closed 15 years ago

Crash [@ XPCWrappedNativeScope::GetWrapperFor(JSContext*, JSObject*, XPCWrapper::WrapperType, XPCWrappedNative**) ]

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: humph, Assigned: mrbkap)

References

(
URL
)

Details

(Keywords: crash, Whiteboard: [sg:critical?])

Crash Data

Attachments

(1 file)

Proposed fix v1
5.33 KB, patch
vlad
: review+
jst
: superreview+
Details | Diff | Splinter Review
Doing more canvas optimization for processing.js, we took a patch that buffers pixel changes and then dumps a bunch at once (e.g., uses multiple canvases, putImageData, drawImage). I don't have a clear idea where this crash is (sorry I don't have a smaller test case), however, I suspect the code in this patch: https://processing-js.lighthouseapp.com/projects/41284/tickets/522/a/473641/pixbuf2.diff When I go to this page it crashes instantly every time on 10.6 running a nightly: http://weare.buildingsky.net/processing/perf/happyplace.html The crash is this: http://crash-stats.mozilla.com/report/index/eb130058-f285-49ad-b227-a8b9c2100406
I think that this is in Blake's wheelhouse.
Component: Canvas: 2D → XPConnect
QA Contact: canvas.2d → xpconnect
Unless this is one of the builds in which imagedata corrupts random chunks of memory....
This is: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.3a4pre) Gecko/20100406 Minefield/3.7a4pre
This is probably exploitable: we're calling JS_SetPrivate (effectively, via JSObject::setPrivate) on a JSObject for an nsGlobalWindow.
Group: core-security
Whiteboard: [sg:critical?]
Attached patch Proposed fix v1Splinter Review
The problem here is that we have a function that can be reached via both the JS engine (as part of a JSOP_CALL) and also from the JS API. The function relies on cx->fp being correct in both cases, which isn't true. In the testcase here (I'm going to see if I can reduce it into a crashtest), we check JS_IsConstructing to tell us whether or not |obj| is one of our types of objects... it so happens that when we end up in the class_constructor, the last frame pointer pushed onto cx->fp was a constructing frame.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #437965 - Flags: review?(vladimir)
Attachment #437965 - Flags: superreview?(jst)
Attachment #437965 - Flags: superreview?(jst) → superreview+
Technically, this is a regression from bug 534467, since it added a consumer of the API.
Blocks: 534467
http://hg.mozilla.org/mozilla-central/rev/e7a05d0e9fc5
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Crash Signature: [@ XPCWrappedNativeScope::GetWrapperFor(JSContext*, JSObject*, XPCWrapper::WrapperType, XPCWrappedNative**) ]
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: