639501 - Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)], [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::getOwnPropertyDescriptor ]

Status: RESOLVED FIXED

(Core :: XPConnect, defect)

Description

[Bob Clary [:bc] (inactive)]

1. http://bieberrolled.website.org/
2. click on the alert that you have been rolled.
3. assert on mac/linux/win 2.0.0. 1.9.2 is ok.

Assertion failure: isObject(), at ../../dist/include/jsvalue.h:602

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x06524baf in JS_Assert (s=0x69817f8 "isObject()", file=0x6931cf9 "../../dist/include/jsvalue.h", ln=602) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80
80	    *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */

(gdb) bt     
#0  0x06524baf in JS_Assert (s=0x69817f8 "isObject()", file=0x6931cf9 "../../dist/include/jsvalue.h", ln=602) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80
#1  0x0540c4b9 in js::Value::toObject (this=0x236f74b8) at jsvalue.h:602
#2  0x05a5b411 in xpc::GetHolder (obj=0x236f7480) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:122
#3  0x05a5ef08 in xpc::XrayWrapper<JSCrossCompartmentWrapper>::defineProperty (this=0x6d4a544, cx=0x247a6440, wrapper=0x236f7480, id={asBits = 21055552}, desc=0xbfffb9f0) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:623
#4  0x064c8abc in js::JSProxyHandler::set (this=0x6d4a544, cx=0x247a6440, proxy=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:165
#5  0x05a5c9fe in xpc::XrayWrapper<JSCrossCompartmentWrapper>::set (this=0x6d4a544, cx=0x247a6440, wrapper=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:792
#6  0x064c5a15 in js::JSProxy::set (cx=0x247a6440, proxy=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:808
#7  0x064c5a6b in js::proxy_SetProperty (cx=0x247a6440, obj=0x236f7480, id={asBits = 21055552}, vp=0xbfffc058, strict=0) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:923
#8  0x0639b762 in JSObject::setProperty (this=0x236f7480, cx=0x247a6440, id={asBits = 21055552}, vp=0xbfffc058, strict=0) at jsobj.h:1232
#9  0x064439d3 in js::Interpret () at /work/mozilla/builds/2.0.0/mozilla/js/src/jsinterp.cpp:4496

ss since many other related asserts are ss.

Comment 1

[Bob Clary [:bc] (inactive)]

note this was found from crashing urls that had xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)  as the signature which is related to this assert.

also crashes nightly: bp-8c0cb8b1-f867-425a-8303-960562110307 (I can't check this due to hbase issues atm)

Comment 2

[Andreas Gal :gal]

bc, we should definitely fix this, but its not a top crasher and it looks like a safe NULL crash

Comment 3

[Daniel Holbert [:dholbert]]

(Confirming on Linux x86_64 w/ nightly, with a slightly different signature on crash-stats and with crash addr at 0x40 (still near null): bp-b28e9df2-3ca8-4abd-a100-82c272110307 )

Comment 4

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Proposed fix

I've been Bieber-rolled! And I've now debugged a site with the line 'numKisses = 15' in its source code.

Amongst the other things it does, the site includes an advertising page in an iframe whose JS contains frame-busting code if (top.location != window.location) top.location = location;|. At the same time, the main site has an onbeforeunload handler that effectively does |while (more than one thing) alert(something)|. Because |alert| spins the event loop, after the first time through the while loop, we actually navigate the top page, even while running its JS. The second time through the loop, we actually throw a security exception trying to call alert on the new outer window (which has navigated and been brain transplanted).

However, window.location is a slotful property, so as we unwind from the top.location setter (which is going through a XOW proxy), JSProxyHandler::set wants to update the slot by calling defineProperty on the handler. Unfortunately for us, the proxy that we're the handler for has also been brain-transplanted into a same origin wrapper, meaning that using |this| as the proxy handler is no longer correct. So, we try to use proxy->getProxyExtra() as an object, which it no longer is (it's undefined), and we crash.

This patch protects against getters mutating the proxy object out from under the proxy handler.

Comment 5

[Andreas Gal :gal]

Comment on attachment 517875 [details] [diff] [review]
Proposed fix

Ask jst for hazard pay.

Comment 6

[Blake Kaplan (:mrbkap) (inactive)]

http://hg.mozilla.org/tracemonkey/rev/9449c2235f86

Comment 7

[Blake Kaplan (:mrbkap) (inactive)]

This was merged into mozilla-central a while ago: http://hg.mozilla.org/mozilla-central/rev/9449c2235f86