Closed Bug 638026 Opened 13 years ago Closed 13 years ago

"ASSERTION: should have a JS object by this point" with setUserData, GC

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- -

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:nse] fixed-in-tracemonkey)

Attachments

(3 files)

testcase (requires extension for GC)
556 bytes, text/html
Details
stack traces
3.60 KB, text/plain
Details
Proposed fix
1.12 KB, patch
jst
: review+
Details | Diff | Splinter Review 
1. Install 'DOM Fuzz Lite' from
    https://www.squarefree.com/extensions/domFuzzLite.xpi
2. Load the testcase.

###!!! ASSERTION: should have a JS object by this point: 'win->GetOuterWindowInternal()->IsCreatingInnerWindow()', file dom/base/nsDOMClassInfo.cpp, line 5022

###!!! ASSERTION: Non-global object has the wrong flags: '!(jsclazz->flags & JSCLASS_IS_GLOBAL)', file js/src/xpconnect/src/xpcwrappednative.cpp, line 1153

Security-sensitive because I'm scared of anything that involves GC. Or inner and outer windows.
Attached file stack traces 

    
  
blocking2.0: --- → ?

    
    

    
  
This doesn't look exploitable. Why blocking?

    
    

    
  
b- please renom if we see any indication that this is indeed exploitable
blocking2.0: ? → -

    
    

    
  
Given that we don't know of this being exploitable or anything, marking this sg:nse, and keeping it closed for now. Blake, can you have a look?
Assignee: nobody → mrbkap
Whiteboard: [sg:nse]

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed fixSplinter Review
      

    


  
So, the problem here is that the variant holds a reference to the outer window proxy and a reference to the current inner window's C++ object. After the iframe navigates, we brain transplant the outer window, and the old inner window's JS object has no more references to it, so we collect it. Later, we attempt to wrap the inner window into JS and recreate its JS object (and hit the assertion). This patch fixes this by making us hold a reference to the non-brain-transplanted inner object, meaning we won't recreate the JS object. This means we'll hold the old inner window alive longer, but I'm OK with that.

        Attachment #517543 -
        Flags: review?(jst)

        Attachment #517543 -
        Flags: review?(jst) → review+

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/41ea0740c97d
Whiteboard: [sg:nse] → [sg:nse] fixed-in-tracemonkey

    
    

    
  
Blake: we don't have brain transplants on the 1.9.x branches, but we do have inner and outer windows and we have seen the assertions in comment 0 (bug 637226). Do we need a variant of this fix on branches? Maybe not if it's truly unexploitable.

    
    

    
  
No. On older branches, the variant ends up holding a strong reference to the outer window, not the inner and the jsval that it holds is also for the outer, so it won't be garbage collected. Because the value and the nsISupports match there is no bug.
Group: core-security
Blocks: 637226

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/41ea0740c97d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: