Closed Bug 639501 Opened 10 years ago Closed 10 years ago

Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)], [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::getOwnPropertyDescriptor ]

Categories

(Core :: XPConnect, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: bc, Assigned: mrbkap)

References

()

Details

(Keywords: assertion, crash, Whiteboard: [sg:dos] fixed-in-tracemonkey)

Crash Data

Attachments

(1 file)

1. http://bieberrolled.website.org/
2. click on the alert that you have been rolled.
3. assert on mac/linux/win 2.0.0. 1.9.2 is ok.

Assertion failure: isObject(), at ../../dist/include/jsvalue.h:602

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x06524baf in JS_Assert (s=0x69817f8 "isObject()", file=0x6931cf9 "../../dist/include/jsvalue.h", ln=602) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80
80	    *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */

(gdb) bt     
#0  0x06524baf in JS_Assert (s=0x69817f8 "isObject()", file=0x6931cf9 "../../dist/include/jsvalue.h", ln=602) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsutil.cpp:80
#1  0x0540c4b9 in js::Value::toObject (this=0x236f74b8) at jsvalue.h:602
#2  0x05a5b411 in xpc::GetHolder (obj=0x236f7480) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:122
#3  0x05a5ef08 in xpc::XrayWrapper<JSCrossCompartmentWrapper>::defineProperty (this=0x6d4a544, cx=0x247a6440, wrapper=0x236f7480, id={asBits = 21055552}, desc=0xbfffb9f0) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:623
#4  0x064c8abc in js::JSProxyHandler::set (this=0x6d4a544, cx=0x247a6440, proxy=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:165
#5  0x05a5c9fe in xpc::XrayWrapper<JSCrossCompartmentWrapper>::set (this=0x6d4a544, cx=0x247a6440, wrapper=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/xpconnect/wrappers/XrayWrapper.cpp:792
#6  0x064c5a15 in js::JSProxy::set (cx=0x247a6440, proxy=0x236f7480, receiver=0x236f7480, id={asBits = 21055552}, strict=false, vp=0xbfffc058) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:808
#7  0x064c5a6b in js::proxy_SetProperty (cx=0x247a6440, obj=0x236f7480, id={asBits = 21055552}, vp=0xbfffc058, strict=0) at /work/mozilla/builds/2.0.0/mozilla/js/src/jsproxy.cpp:923
#8  0x0639b762 in JSObject::setProperty (this=0x236f7480, cx=0x247a6440, id={asBits = 21055552}, vp=0xbfffc058, strict=0) at jsobj.h:1232
#9  0x064439d3 in js::Interpret () at /work/mozilla/builds/2.0.0/mozilla/js/src/jsinterp.cpp:4496

ss since many other related asserts are ss.
note this was found from crashing urls that had xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)  as the signature which is related to this assert.

also crashes nightly: bp-8c0cb8b1-f867-425a-8303-960562110307 (I can't check this due to hbase issues atm)
Keywords: crash
Summary: Assertion failure: isObject() → Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)]
Assignee: general → gal
Assignee: gal → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Whiteboard: [sg:critical?] → [sg:dos]
blocking2.0: ? → ---
bc, we should definitely fix this, but its not a top crasher and it looks like a safe NULL crash
(Confirming on Linux x86_64 w/ nightly, with a slightly different signature on crash-stats and with crash addr at 0x40 (still near null): bp-b28e9df2-3ca8-4abd-a100-82c272110307 )
Hardware: x86 → All
Summary: Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)] → Assertion failure: isObject() | Crash [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)], [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::getOwnPropertyDescriptor ]
Attached patch Proposed fixSplinter Review
I've been Bieber-rolled! And I've now debugged a site with the line 'numKisses = 15' in its source code.

Amongst the other things it does, the site includes an advertising page in an iframe whose JS contains frame-busting code if (top.location != window.location) top.location = location;|. At the same time, the main site has an onbeforeunload handler that effectively does |while (more than one thing) alert(something)|. Because |alert| spins the event loop, after the first time through the while loop, we actually navigate the top page, even while running its JS. The second time through the loop, we actually throw a security exception trying to call alert on the new outer window (which has navigated and been brain transplanted).

However, window.location is a slotful property, so as we unwind from the top.location setter (which is going through a XOW proxy), JSProxyHandler::set wants to update the slot by calling defineProperty on the handler. Unfortunately for us, the proxy that we're the handler for has also been brain-transplanted into a same origin wrapper, meaning that using |this| as the proxy handler is no longer correct. So, we try to use proxy->getProxyExtra() as an object, which it no longer is (it's undefined), and we crash.

This patch protects against getters mutating the proxy object out from under the proxy handler.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #517875 - Flags: review?(gal)
Comment on attachment 517875 [details] [diff] [review]
Proposed fix

Ask jst for hazard pay.
Attachment #517875 - Flags: review?(gal) → review+
http://hg.mozilla.org/tracemonkey/rev/9449c2235f86
Whiteboard: [sg:dos] → [sg:dos] fixed-in-tracemonkey
This was merged into mozilla-central a while ago: http://hg.mozilla.org/mozilla-central/rev/9449c2235f86
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Crash Signature: [@ xpc::XrayWrapper::getOwnPropertyDescriptor(JSContext*, JSObject*, int, bool, js::PropertyDescriptor*)] [@ xpc::XrayWrapper<JSCrossCompartmentWrapper>::getOwnPropertyDescriptor ]
Group: core-security
You need to log in before you can comment on or make changes to this bug.