Closed Bug 670319 Opened 13 years ago Closed 13 years ago

"ASSERTION: function object has parent of unknown class"

Categories

(Core :: XPConnect, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla9
Tracking Status
firefox5 - wontfix
firefox6 - wontfix
firefox7 + fixed
firefox8 + fixed
firefox9 + fixed
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical?][qa-])

Attachments

(3 files)

###!!! ASSERTION: function object has parent of unknown class!: 'Error', file js/src/xpconnect/src/xpcwrappednative.cpp, line 1759

###!!! ABORT: should have a slim wrapper: '!mFlattenedJSObject || IS_SLIM_WRAPPER(mFlattenedJSObject)', file js/src/xpconnect/src/xpccallcontext.cpp, line 199

Doesn't crash in opt. But the messages are scary, so security-sensitive for now.
Attached file stack trace
In particular, funobj->getParent() is a vanilla Object in this case.

|obj| is a Proxy.

We're coming through XPC_WN_CallMethod here, not quickstubs.
Blake, any idea whether this is exploitable?
Assignee: nobody → mrbkap
Whiteboard: [need answer from mrbkap]
Whiteboard: [need answer from mrbkap] → [sg:critical?][need answer from mrbkap]
jst says mrbkap agreed with the sg:critical? rating.
Whiteboard: [sg:critical?][need answer from mrbkap] → [sg:critical?]
Blake, this bug has been sitting for a while, what's the next step here?
Attached patch Proposed fixSplinter Review
The parent of the function object has to be either the security wrapper or the object itself. It can't be higher up on the prototype chain.
Attachment #556740 - Flags: review?(jst)
Attachment #556740 - Flags: review?(jst) → review+
mrbkap, can you get this landed, we'd like to consider this for branches too, and we're running really low on time for 7.
Sorry, this actually landed the other day:

http://hg.mozilla.org/mozilla-central/rev/ec2131a5351d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla9
Comment on attachment 556740 [details] [diff] [review]
Proposed fix

Assuming this just needs branch approvals? Or is there a compatibility reason you didn't request it?
Attachment #556740 - Flags: approval-mozilla-beta?
Attachment #556740 - Flags: approval-mozilla-aurora?
Comment on attachment 556740 [details] [diff] [review]
Proposed fix

We discussed this in triage and agreed to approve it for both, but we're worried, purely because of the code it touches. Can we get some deep thinking about how to QA possible failure scenarios, and what (if anything) Cheng might watch for in feedback?
Attachment #556740 - Flags: approval-mozilla-beta?
Attachment #556740 - Flags: approval-mozilla-beta+
Attachment #556740 - Flags: approval-mozilla-aurora?
Attachment #556740 - Flags: approval-mozilla-aurora+
Poke?
qa- as no QA fix verification needed
Whiteboard: [sg:critical?] → [sg:critical?][qa-]
Group: core-security
You need to log in before you can comment on or make changes to this bug.