Closed
Bug 631488
Opened 13 years ago
Closed 13 years ago
Crash [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::get] [@ js::JSProxyHandler::get] navigating closed window
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: jruderman, Assigned: automation)
References
Details
(Keywords: crash, testcase, topcrash, Whiteboard: [sg:critical][hardblocker], fixed-in-tracemonkey [has patch])
Crash Data
Attachments
(3 files)
Related to bug 628599?
Reporter | ||
Updated•13 years ago
|
Attachment #509713 -
Attachment description: testcase → testcase (must be local)
Reporter | ||
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
Why is this sg:crit?
Reporter | ||
Comment 3•13 years ago
|
||
Because the crash stack trace has a random, invalid address at the top.
Comment 4•13 years ago
|
||
10b looks like a near null crash to me with a largish VMT (proxy handler). I will look into it.
Assignee: nobody → gal
OS: Mac OS X → Windows 7
Reporter | ||
Updated•13 years ago
|
blocking2.0: --- → ?
Reporter | ||
Updated•13 years ago
|
OS: Windows 7 → Mac OS X
Comment 5•13 years ago
|
||
Blocking.
blocking2.0: ? → final+
Whiteboard: [sg:critical] → [sg:critical][softblocker]
Comment 6•13 years ago
|
||
This doesn't reproduce for me with b10. Trying in a debug build.
Comment 7•13 years ago
|
||
I tried with TM tip. This is definitely no longer crashing. I think I have an idea what fixed this. In unrelated news, we leak like a sieve on this test case. With quick clicks I can get up to 1000 DOM windows easily. We GC and CC, but each time we only go down to 300 DOM windows or so. Most doc shells get destroyed, but nowhere near all windows. Weird. --DOCSHELL 0x7fffca67c000 == 9 --DOCSHELL 0x7fffcc839000 == 8 --DOCSHELL 0x7fffcc414000 == 7 --DOCSHELL 0x7fffcc27c800 == 6 --DOCSHELL 0x7fffcb003800 == 5 --DOMWINDOW == 495 (0x7fffccc6a078) [serial = 1990] [outer = 0x7fffcc414c00] [url = about:blank] --DOMWINDOW == 494 (0x7fffcc414c78) [serial = 1986] [outer = (nil)] [url = about:blank] --DOMWINDOW == 493 (0x7fffccc68c78) [serial = 1989] [outer = 0x7fffcc27d400] [url = about:blank]
Comment 8•13 years ago
|
||
Blake says this is related to us not properly filtering/censoring setters that are JSPropertyOps. Though I thought we fixed something there recently, too.
Comment 9•13 years ago
|
||
bug 629331 might be related
Comment 10•13 years ago
|
||
Testing again. mrbkap says this did reproduce for him with that patch applied
Comment 11•13 years ago
|
||
Ok, just crashed.
Comment 12•13 years ago
|
||
Comment 13•13 years ago
|
||
I stand corrected. Jesse was right. This is exploitable. An object is used as JSPropertyOp.
Updated•13 years ago
|
Whiteboard: [sg:critical][softblocker] → [sg:critical][hardblocker]
Updated•13 years ago
|
Attachment #510424 -
Flags: review?(mrbkap)
Updated•13 years ago
|
blocking2.0: final+ → betaN+
Comment 14•13 years ago
|
||
Comment on attachment 510424 [details] [diff] [review] patch >diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp >--- a/js/src/jsproxy.cpp >+++ b/js/src/jsproxy.cpp >@@ -173,26 +173,26 @@ JSProxyHandler::set(JSContext *cx, JSObj > return false; > if (desc.attrs & JSPROP_SHARED) > return true; > } > if (!desc.getter) > desc.getter = PropertyStub; > if (!desc.setter) > desc.setter = PropertyStub; >- /* fall through */ >- } else { >- /* Pick up the class getter/setter. */ >- desc.getter = desc.setter = NULL; >+ return defineProperty(cx, receiver, id, &desc); The - lines should if(A){B}else{C;return}D, which is a bad pattern. Any more like it? Please fix if so. Should be if(A){B;D}else{C} or if(!A){C;return}B;D. > } > > desc.obj = receiver; > desc.value = *vp; > desc.attrs = JSPROP_ENUMERATE; > desc.shortid = 0; Blank line before comment taking one or more lines unless preceded by {. >+ /* Pick up the class getter/setter. */ >+ desc.getter = >+ desc.setter = NULL; All on one line please. /be
Attachment #510424 -
Flags: review?(mrbkap) → review+
Comment 15•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/985782685741
Whiteboard: [sg:critical][hardblocker] → [sg:critical][hardblocker], fixed-in-tracemonkey
Updated•13 years ago
|
Whiteboard: [sg:critical][hardblocker], fixed-in-tracemonkey → [sg:critical][hardblocker], fixed-in-tracemonkey [has patch]
Reporter | ||
Comment 17•13 years ago
|
||
Andreas, did your patch fix both the leak and the crash? Or do we need a new bug on the leak?
Comment 18•13 years ago
|
||
I didn't fix the leak.
Reporter | ||
Comment 19•13 years ago
|
||
Can you still reproduce the leak?
Keywords: topcrash
Comment 20•13 years ago
|
||
Bugs are on file for the leak. We are done here.
Comment 21•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/c76d7a190b12
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Updated•13 years ago
|
Crash Signature: [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::get]
[@ js::JSProxyHandler::get]
Assignee | ||
Updated•9 years ago
|
Assignee: gal → automation
Assignee | ||
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•