Closed
Bug 639501
Opened 10 years ago
Closed 10 years ago
Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)], [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::getOwnPropertyDescriptor ]
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
People
(Reporter: bc, Assigned: mrbkap)
References
()
Details
(Keywords: assertion, crash, Whiteboard: [sg:dos] fixed-in-tracemonkey)
Crash Data
Attachments
(1 file)
1.93 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
1. http://bieberrolled.website.org/ 2. click on the alert that you have been rolled. 3. assert on mac/linux/win 2.0.0. 1.9.2 is ok. Assertion failure: isObject(), at ../../dist/include/jsvalue.h:602 Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x00000000 0x06524baf in JS_Assert (s=0x69817f8 "isObject()", file=0x6931cf9 "../../dist/include/jsvalue.h", ln=602) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80 80 *((int *) NULL) = 0; /* To continue from here in GDB: "return" then "continue". */ (gdb) bt #0 0x06524baf in JS_Assert (s=0x69817f8 "isObject()", file=0x6931cf9 "../../dist/include/jsvalue.h", ln=602) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80 #1 0x0540c4b9 in js::Value::toObject (this=0x236f74b8) at jsvalue.h:602 #2 0x05a5b411 in xpc::GetHolder (obj=0x236f7480) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:122 #3 0x05a5ef08 in xpc::XrayWrapper<JSCrossCompartmentWrapper>::defineProperty (this=0x6d4a544, cx=0x247a6440, wrapper=0x236f7480, id={asBits = 21055552}, desc=0xbfffb9f0) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:623 #4 0x064c8abc in js::JSProxyHandler::set (this=0x6d4a544, cx=0x247a6440, proxy=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:165 #5 0x05a5c9fe in xpc::XrayWrapper<JSCrossCompartmentWrapper>::set (this=0x6d4a544, cx=0x247a6440, wrapper=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:792 #6 0x064c5a15 in js::JSProxy::set (cx=0x247a6440, proxy=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:808 #7 0x064c5a6b in js::proxy_SetProperty (cx=0x247a6440, obj=0x236f7480, id={asBits = 21055552}, vp=0xbfffc058, strict=0) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:923 #8 0x0639b762 in JSObject::setProperty (this=0x236f7480, cx=0x247a6440, id={asBits = 21055552}, vp=0xbfffc058, strict=0) at jsobj.h:1232 #9 0x064439d3 in js::Interpret () at /work/mozilla/builds/2.0.0/mozilla/js/src/jsinterp.cpp:4496 ss since many other related asserts are ss.
Reporter | ||
Comment 1•10 years ago
|
||
note this was found from crashing urls that had xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*) as the signature which is related to this assert. also crashes nightly: bp-8c0cb8b1-f867-425a-8303-960562110307 (I can't check this due to hbase issues atm)
Keywords: crash
Summary: Assertion failure: isObject() → Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)]
Updated•10 years ago
|
Assignee: general → gal
Updated•10 years ago
|
Assignee: gal → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Updated•10 years ago
|
Whiteboard: [sg:critical?] → [sg:dos]
Updated•10 years ago
|
blocking2.0: ? → ---
Comment 2•10 years ago
|
||
bc, we should definitely fix this, but its not a top crasher and it looks like a safe NULL crash
Comment 3•10 years ago
|
||
(Confirming on Linux x86_64 w/ nightly, with a slightly different signature on crash-stats and with crash addr at 0x40 (still near null): bp-b28e9df2-3ca8-4abd-a100-82c272110307 )
Hardware: x86 → All
Summary: Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)] → Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)], [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::getOwnPropertyDescriptor ]
Assignee | ||
Comment 4•10 years ago
|
||
I've been Bieber-rolled! And I've now debugged a site with the line 'numKisses = 15' in its source code. Amongst the other things it does, the site includes an advertising page in an iframe whose JS contains frame-busting code if (top.location != window.location) top.location = location;|. At the same time, the main site has an onbeforeunload handler that effectively does |while (more than one thing) alert(something)|. Because |alert| spins the event loop, after the first time through the while loop, we actually navigate the top page, even while running its JS. The second time through the loop, we actually throw a security exception trying to call alert on the new outer window (which has navigated and been brain transplanted). However, window.location is a slotful property, so as we unwind from the top.location setter (which is going through a XOW proxy), JSProxyHandler::set wants to update the slot by calling defineProperty on the handler. Unfortunately for us, the proxy that we're the handler for has also been brain-transplanted into a same origin wrapper, meaning that using |this| as the proxy handler is no longer correct. So, we try to use proxy->getProxyExtra() as an object, which it no longer is (it's undefined), and we crash. This patch protects against getters mutating the proxy object out from under the proxy handler.
Comment 5•10 years ago
|
||
Comment on attachment 517875 [details] [diff] [review] Proposed fix Ask jst for hazard pay.
Attachment #517875 -
Flags: review?(gal) → review+
Assignee | ||
Comment 6•10 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/9449c2235f86
Whiteboard: [sg:dos] → [sg:dos] fixed-in-tracemonkey
Assignee | ||
Comment 7•10 years ago
|
||
This was merged into mozilla-central a while ago: http://hg.mozilla.org/mozilla-central/rev/9449c2235f86
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Updated•10 years ago
|
Crash Signature: [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)]
[@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::getOwnPropertyDescriptor ]
Updated•6 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•