Closed
Bug 651298
Opened 13 years ago
Closed 13 years ago
Assertion failure: hookPrincipals == compPrincipals ... at jsobjinlines.h:877
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: igor, Assigned: mrbkap)
References
()
Details
(Keywords: dogfood, Whiteboard: fixed-in-tracemonkey)
Attachments
(2 files)
20.48 KB,
text/plain
|
Details | |
1.40 KB,
patch
|
luke
:
review+
|
Details | Diff | Splinter Review |
I got the following assert when reading an articles on http://www.economist.com/printedition. I could not reproduce it at will, but i managed to get it 3 times. Assertion failure: hookPrincipals == compPrincipals || (hookPrincipals->subsume(hookPrincipals, compPrincipals) && compPrincipals->subsume(compPrincipals, hookPrincipals)), at /scratch/igor/m/tm/j/src/jsobjinlines.h:877
Reporter | ||
Comment 1•13 years ago
|
||
Reporter | ||
Comment 2•13 years ago
|
||
This happens when I browsed using a VNC session on a server. I guess I can keep the debugger running for some time there.
Reporter | ||
Comment 3•13 years ago
|
||
To Luke: can it be a fallout from bug 602994?
Comment 4•13 years ago
|
||
Well, that assert was definitely added by bug 602994. But its a property that should generally be true: the compartment containing an object should have equivalent principals to those found through findObjectPrincipals. What are the two principals involved?
Reporter | ||
Comment 5•13 years ago
|
||
hookPrincipals->codebase: http://www.economist.com/node/18557604?story_id=18557604 compPrincipals->codebase: http://www.economist.com/printedition/
Comment 6•13 years ago
|
||
Well good to see this isn't some terrible chrome privilege leaking. Igor: Blake was suspecting document.domain at play; do you see any evidence of this?
Reporter | ||
Comment 7•13 years ago
|
||
(In reply to comment #6) > Igor: > Blake was suspecting document.domain at play; do you see any evidence of this? document.domain is set to economist.com on http://www.economist.com/printedition/ but not on articles like http://www.economist.com/node/18560709?story_id=18560709
Reporter | ||
Comment 8•13 years ago
|
||
I got the same assert when browsing at gazeta.ru (a Russian news site). It contains document.domain = 'gazeta.ru'.
Reporter | ||
Updated•13 years ago
|
Comment 9•13 years ago
|
||
Oh right, I talked to mrbkap about this IRL but then we got interrupted and the consensus was never recorded. Blake explained that this is a problem where, even if two documents have the same domain, if only one of them sets document.domain, they get different (non-equivalent) principals. Due to the lack of compartments==globals (bug 650353), this can lead to objects in the same compartment but with non-equivalent principals. Blake explains this isn't a security hole because they must have started with the same principals, at which point, any evil actions could have happened. Thus, the resolution was to delete the assert since there isn't anything weaker we could assert. Furthermore, after bug 650353, the assert also wouldn't have much meaning since, IIUC, it would essentially be true by definition.
Assignee | ||
Comment 10•13 years ago
|
||
Assignee: general → mrbkap
Attachment #528974 -
Flags: review?(luke)
Comment 11•13 years ago
|
||
But I thought you convinced me that the compartment's principals were good enough? Or have you convinced yourself otherwise now?
Comment 12•13 years ago
|
||
Comment on attachment 528974 [details] [diff] [review] Proposed fix IRL answer from mrbkap: 'yes'
Attachment #528974 -
Flags: review?(luke) → review+
Keywords: dogfood
So I see this assertion reliably while restoring a session. In particular, I'm asserting on a script in: https://www.facebook.com/widgets/like.php?width=280&show_faces=1&layout=standard&href=http%3A%2F%2Fwww.imdb.com%2Ftitle%2Ftt1782352%2F while loading: http://www.imdb.com/title/tt1782352/combined in a tab. When I apply the fix (attachment 528974 [details] [diff] [review]), however, I still hit a fatal assertion... just a different one: Assertion failure: callerPrincipals->subsume(callerPrincipals, calleePrincipals), at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jsobj.cpp:1344 In this case, in js::PrincipalsForCompiledCode, calleePrincipals->codebase is "https://www.facebook.com/extern/login_status.php?api_key=9cccf2c9570e99aeb7ea4a7284b957a1&app_id=9cccf2c9570e99aeb7ea4a7284b957a1&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%" but unfortunately callerPrincipals is <value optimized out>. Is that a continuation of this bug, or another one?
Comment 14•13 years ago
|
||
I've seen Assertion failure: hookPrincipals == compPrincipals on a number of urls on Windows, Mac and 32bit as well as 64 bit Linux. It is quite common and will negatively impact crash testing the trunk. It would be very very nice if this landed soon.
I'm getting the same problem as dbaron, also with this patch applied. It's easy to reproduce with this URL (from bug 654590): http://ourbricks.com/viewer/85c448aa4d84fbf791cca3793f219c26 The assertion is the same, and it also seems to be a Facebook thing. callerPrincipals is "http://www.facebook.com/plugins/comments.php?api_key=5919951452&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df1eb9e020c0c55e%26origin%3Dhttp%253A%252F%252"... calleePrincipals is "http://www.facebook.com/extern/login_status.php?api_key=5919951452&app_id=5919951452&channel_url=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df2954ed90346292%26origin"...
Assignee | ||
Comment 16•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/394d48fa9cb7 We should open a second bug for the other compartment mismatch.
Whiteboard: fixed-in-tracemonkey
Comment 17•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/394d48fa9cb7
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 18•13 years ago
|
||
It looks like the follow-up was just filed with bug 656171.
You need to log in
before you can comment on or make changes to this bug.
Description
•