Closed Bug 622483 Opened 14 years ago Closed 11 years ago

ASSERTION: Principal mismatch. Not good: 'strcmp(jsClass->name, "Location") == 0 ? NS_SUCCEEDED(CheckSameOriginPrincipal(result, principal)) : result == principal',

Categories

(Core :: Security: CAPS, defect)

Product:
Core
Component:
Security: CAPS
Platform:
x86
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: alexander.miller, Unassigned)

References

(
URL
)

Details

(Whiteboard: [sg:needinfo])

Attachments

(1 file)

Stack trace
7.96 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Build Identifier: 

Got this assertion with cross_fuzz when the seed was #1243054328. Marking as security sensitive because of bug 474695 comment 2. Also, based on the satisfied condition it seems possible to bypass the same-origin policy.

Reproducible: Always

Steps to Reproduce:
1. Load cross_fuzz (seeded) with a seed of #1243054328.
2. Dig through a boatload of assertions until you get that assertion.
Blocks: crossfuzz
See also bug 474695 for a possible dupe and analysis.
Summary: ###!!! ASSERTION: Principal mismatch. Not good: 'strcmp(jsClass->name, "Location") == 0 ? NS_SUCCEEDED(CheckSameOriginPrincipal(result, principal)) : result == principal', → ASSERTION: Principal mismatch. Not good: 'strcmp(jsClass->name, "Location") == 0 ? NS_SUCCEEDED(CheckSameOriginPrincipal(result, principal)) : result == principal',
Also see bug 616913.  If you can reproduce this, can you examine the class name when you hit the assert?  For that matter, can you examine the principals involved?
(In reply to comment #2)
> Also see bug 616913.  If you can reproduce this, can you examine the class name
> when you hit the assert?  For that matter, can you examine the principals
> involved?

I don't have access to that bug, attaching the stack trace soon
Attached file Stack trace 

    
    

    
  
I didn't ask for the stack trace, right?  I asked what jsClass->name is in your case.

    
    

    
  
(In reply to comment #5)
> I didn't ask for the stack trace, right?  I asked what jsClass->name is in your
> case.

How exactly would I go about finding the classname?

    
    

    
  
Well, you have this in a debugger, right?  Just examine the relevant member of that object.  How to do that depends on your debugger.

    
    

    
  
(In reply to comment #7)
> Well, you have this in a debugger, right?  Just examine the relevant member of
> that object.  How to do that depends on your debugger.

The object in which the assertion occurs? I'm not familiar with CAPS at all, nor am I familiar with any code in this area, or most computer science/OOP terms. 

nsScriptSecurityManager?

    
    

    
  
(In reply to comment #6)
> (In reply to comment #5)
> > I didn't ask for the stack trace, right?  I asked what jsClass->name is in your
> > case.
> 
> How exactly would I go about finding the classname?

Try:

(gdb) p jsClass->name

or:

(gdb) x jsClass->name

when the assertion is trapped in gdb, for example.

    
  
Blocks: crossfuzz-pvt

    
  
No longer blocks: crossfuzz

    
    

    
  
Can I get access to bug 623189?

    
    

    
  
comment 10: done

    
    

    
  
For what it's worth, I was about to reply that you don't need that access to answer the questions in this bug.  I still think you don't.

    
    

    
  
Gary: jsClass->name is HTMLLabelElement and "result" is 32 NULLs

    
    

    
  
OK, for HTMLLabelElement this sounds ... bad (and in particular, not at all like bug 616913).  Blake?

Also, can you examine the principals?  32 nulls sounds wrong for a principal (hell, the vtable pointer should be non-null), but let's start with basics: what are the concrete types?
Status: UNCONFIRMED → NEW
Ever confirmed: true

    
    

    
  
(In reply to comment #14)
> OK, for HTMLLabelElement this sounds ... bad (and in particular, not at all
> like bug 616913).  Blake?
> 
> Also, can you examine the principals?  32 nulls sounds wrong for a principal
> (hell, the vtable pointer should be non-null), but let's start with basics:
> what are the concrete types?

According to gdb there was never a symbol by the name "principal", which seems completely wong because of the comparison before asserting, unless principal is being used uninitialized, which is a different problem.

    
    

    
  
(In reply to comment #14)
> OK, for HTMLLabelElement this sounds ... bad (and in particular, not at all
> like bug 616913).  Blake?
> 
> Also, can you examine the principals?  32 nulls sounds wrong for a principal
> (hell, the vtable pointer should be non-null), but let's start with basics:
> what are the concrete types?

Can I get access to bug 616913?

    
    

    
  
Fwiw, the jsClass->name is always overwritten with HTML<something>Element, not necessary Label

    
    

    
  
> According to gdb there was never a symbol by the name "principal"

That's .... odd.  This is a debug non-optimized build, right?

    
    

    
  
(In reply to comment #18)
> > According to gdb there was never a symbol by the name "principal"
> 
> That's .... odd.  This is a debug non-optimized build, right?

Yes
Whiteboard: [sg:needinfo]

    
    

    
  
Crash Automation hit this url from the daily crash reports.

On Nightly Mac, Linux and Windows. I was able to hit this manually locally on Mac probably 3/4 times.

Assertion failure: principals == JS_GetCompartmentPrincipals((js::GetContextCompartment(cx))), at /work/mozilla/builds/nightly/mozilla/caps/src/nsScriptSecurityManager.cpp:171

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_INVALID_ADDRESS at address: 0x0000000000000000
PushPrincipalCallback (cx=0x117926610, principals=0x119a51488) at /work/mozilla/builds/nightly/mozilla/caps/src/nsScriptSecurityManager.cpp:170

$1 = (class JSPrincipals *) 0x119a51488
(gdb) p JS_GetCompartmentPrincipals((js::GetContextCompartment(cx)))
$2 = (class JSPrincipals *) 0x11805b5c8


On Beta both Crash Automation (reproduced locally 1/4 times) ABORT: You can't dereference a NULL nsCOMPtr with operator->().: 'mRawPtr != 0'

NS_DebugBreak_P | nsCOMPtr<nsPIDOMWindow>::operator->() | mozilla::dom::Navigator::GetMozBattery(nsIDOMMozBatteryManager**) NS_InvokeByIndex_P CallMethodHelper::Invoke() CallMethodHelper::Call() XPCWrappedNative::CallMethod(XPCCallContext&, XPCWrappedNative::CallMode)

I was able to reproduce the ABORT on Aurora/Mac on shutdown after repeatedly focusing the cross fuzz tab.

    
    

    
  
This assertion doesn't exist anymore.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WORKSFORME

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: