Closed Bug 631488 Opened 13 years ago Closed 13 years ago

Crash [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::get] [@ js::JSProxyHandler::get] navigating closed window

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: automation)

References

Details

(Keywords: crash, testcase, topcrash, Whiteboard: [sg:critical][hardblocker], fixed-in-tracemonkey [has patch])

Crash Data

Attachments

(3 files)

testcase (must be local)
318 bytes, text/html
Details
crash report
42.91 KB, text/plain
Details
patch
1.02 KB, patch
brendan
: review+
Details | Diff | Splinter Review 
Related to bug 628599?
Attachment #509713 - Attachment description: testcase → testcase (must be local)
Attached file crash report 

    
    

    
  
Why is this sg:crit?

    
    

    
  
Because the crash stack trace has a random, invalid address at the top.

    
    

    
  
10b looks like a near null crash to me with a largish VMT (proxy handler). I will look into it.
Assignee: nobody → gal
OS: Mac OS X → Windows 7

    
  
blocking2.0: --- → ?

    
  
OS: Windows 7 → Mac OS X

    
    

    
  
Blocking.
blocking2.0: ? → final+
Whiteboard: [sg:critical] → [sg:critical][softblocker]

    
    

    
  
This doesn't reproduce for me with b10. Trying in a debug build.

    
    

    
  
I tried with TM tip. This is definitely no longer crashing. I think I have an idea what fixed this.

In unrelated news, we leak like a sieve on this test case. With quick clicks I can get up to 1000 DOM windows easily. We GC and CC, but each time we only go down to 300 DOM windows or so. Most doc shells get destroyed, but nowhere near all windows. Weird.

--DOCSHELL 0x7fffca67c000 == 9
--DOCSHELL 0x7fffcc839000 == 8
--DOCSHELL 0x7fffcc414000 == 7
--DOCSHELL 0x7fffcc27c800 == 6
--DOCSHELL 0x7fffcb003800 == 5
--DOMWINDOW == 495 (0x7fffccc6a078) [serial = 1990] [outer = 0x7fffcc414c00] [url = about:blank]
--DOMWINDOW == 494 (0x7fffcc414c78) [serial = 1986] [outer = (nil)] [url = about:blank]
--DOMWINDOW == 493 (0x7fffccc68c78) [serial = 1989] [outer = 0x7fffcc27d400] [url = about:blank]

    
    

    
  
Blake says this is related to us not properly filtering/censoring setters that are JSPropertyOps. Though I thought we fixed something there recently, too.

    
    

    
  
bug 629331 might be related

    
    

    
  
Testing again. mrbkap says this did reproduce for him with that patch applied

    
    

    
  
Ok, just crashed.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        patchSplinter Review
      

    


  

    
    

    
  
I stand corrected. Jesse was right. This is exploitable. An object is used as JSPropertyOp.

    
  
Whiteboard: [sg:critical][softblocker] → [sg:critical][hardblocker]

    
  

        Attachment #510424 -
        Flags: review?(mrbkap)

    
  
blocking2.0: final+ → betaN+

    
    

    
  
Comment on attachment 510424 [details] [diff] [review]
patch

>diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp
>--- a/js/src/jsproxy.cpp
>+++ b/js/src/jsproxy.cpp
>@@ -173,26 +173,26 @@ JSProxyHandler::set(JSContext *cx, JSObj
>                 return false;
>             if (desc.attrs & JSPROP_SHARED)
>                 return true;
>         }
>         if (!desc.getter)
>             desc.getter = PropertyStub;
>         if (!desc.setter)
>             desc.setter = PropertyStub;
>-        /* fall through */
>-    } else {
>-        /* Pick up the class getter/setter. */
>-        desc.getter = desc.setter = NULL;
>+        return defineProperty(cx, receiver, id, &desc);

The - lines should if(A){B}else{C;return}D, which is a bad pattern. Any more like it? Please fix if so. Should be if(A){B;D}else{C} or if(!A){C;return}B;D.

>     }
> 
>     desc.obj = receiver;
>     desc.value = *vp;
>     desc.attrs = JSPROP_ENUMERATE;
>     desc.shortid = 0;

Blank line before comment taking one or more lines unless preceded by {.

>+    /* Pick up the class getter/setter. */
>+    desc.getter =
>+    desc.setter = NULL;

All on one line please.

/be

        Attachment #510424 -
        Flags: review?(mrbkap) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/985782685741
Whiteboard: [sg:critical][hardblocker] → [sg:critical][hardblocker], fixed-in-tracemonkey

    
  
Whiteboard: [sg:critical][hardblocker], fixed-in-tracemonkey → [sg:critical][hardblocker], fixed-in-tracemonkey [has patch]

    
    

    
  
Andreas, did your patch fix both the leak and the crash? Or do we need a new bug on the leak?

    
    

    
  
I didn't fix the leak.

    
    

    
  
Can you still reproduce the leak?

    
    

    
  
Bugs are on file for the leak. We are done here.

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/c76d7a190b12
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Crash Signature: [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::get]
[@ js::JSProxyHandler::get]

    
  
Assignee: gal → automation

    
  
Group: core-security → core-security-release
Group: core-security-release

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: