Closed Bug 686016 Opened 13 years ago Closed 12 years ago

"compartment mismatch" assertion when running test_resizer.xul standalone

Categories

(Core :: DOM: Core & HTML, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 659338

People

(Reporter: ehsan.akhgari, Assigned: bholley)

Details

(Whiteboard: [sg:moderate])

python obj-ff-dbg/_tests/testing/mochitest/runtests.py --debugger=gdb --test-path=layout/xul/base/test/test_resizer.xul

(gdb) bt full
#0  0x0000000102d5ee86 in CrashInJS () at ../../../js/src/jsutil.cpp:92
No locals.
#1  0x0000000102d5eee8 in JS_Assert (s=0x10315374c "compartment mismatched", file=0x10312e988 "../../../js/src/jscntxtinlines.h", ln=139) at ../../../js/src/jsutil.cpp:103
No locals.
#2  0x0000000102c752f5 in js::CompartmentChecker::fail (c1=0x118a0d800, c2=0x100fb2200) at jscntxtinlines.h:139
No locals.
#3  0x0000000102c7535d in js::CompartmentChecker::check (this=0x7fff5fbfbe70, c=0x100fb2200) at jscntxtinlines.h:155
No locals.
#4  0x0000000102c7538c in js::CompartmentChecker::check (this=0x7fff5fbfbe70, obj=0x11b24c478) at jscntxtinlines.h:163
No locals.
#5  0x0000000102b9f96d in js::assertSameCompartment<JSObject*, JSObject*> (cx=0x125f6d290, t1=0x125869830, t2=0x11b24c478) at jscntxtinlines.h:250
	c = {
  context = 0x125f6d290, 
  compartment = 0x118a0d800
}
#6  0x0000000102b82314 in JS_ExecuteScript (cx=0x125f6d290, obj=0x125869830, scriptObj=0x11b24c478, rval=0x7fff5fbfbfc0) at ../../../js/src/jsapi.cpp:4899
	_autoCheckRequestDepth = {
  cx = 0x125f6d290
}
	lfc = {
  cx = 0x7fff5fbfbf80, 
  _mCheckNotUsedAsTemporary = {
    mStatementDone = 144
  }
}
#7  0x0000000101a2ca6d in nsJSContext::ExecuteScript (this=0x125f6d220, aScriptObject=0x11b24c478, aScopeObject=0x125869830, aRetValue=0x0, aIsUndefined=0x0) at ../../../dom/base/nsJSEnvironment.cpp:1624
	rv = 0
	stack = {
  mRawPtr = 0x118656d98
}
	val = {
  asBits = 4931899936, 
  debugView = {
    payload47 = 4931899936, 
    tag = 0
  }, 
  s = {
    payload = {
      i32 = 636932640, 
      u32 = 636932640, 
      why = 636932640
    }
  }, 
  asDouble = 2.4366823271042425e-314, 
  asPtr = 0x125f6d220, 
  asWord = 4931899936
}
	ok = 23735436
	scriptObj = (JSObject *) 0x11b24c478
	principal = {
  mRawPtr = 0x1257d1f60
}
	holder = {
  mContext = 0x125f6d220, 
  mTerminations = 0x0
}
	ar = {
  mContext = 0x125f6d290, 
  mSaveDepth = 0, 
  _mCheckNotUsedAsTemporary = {
    mStatementDone = true
  }
}
#8  0x00000001019f29f3 in nsXULDocument::ExecuteScript (this=0x10746e400, aContext=0x125f6d220, aScriptObject=0x11b24c478) at ../../../../../content/xul/document/src/nsXULDocument.cpp:3636
	rv = 1
	global = (void *) 0x125869830
#9  0x00000001019f640e in nsXULDocument::ExecuteScript (this=0x10746e400, aScript=0x1257d6260) at ../../../../../content/xul/document/src/nsXULDocument.cpp:3659
	stid = 2
	rv = 0
	context = {
  mRawPtr = 0x125f6d220
}
#10 0x0000000101a02021 in nsXULDocument::OnStreamComplete (this=0x10746e400, aLoader=0x1257db190, context=0x0, aStatus=0, stringLen=28420, string=0x107511600 "/**\n * EventUtils provides some utility methods for creating and sending DOM events.\n * Current methods:\n *  sendMouseEvent\n *  sendChar\n *  sendString\n *  sendKey\n */\n\n/**\n * Send a mouse event to th"...) at ../../../../../content/xul/document/src/nsXULDocument.cpp:3527
	useXULCache = 18237701
	uri = {
  mRawPtr = 0x1257d62a0
}
	stringStr = {
  <nsAString_internal> = {
    mData = 0x107525008, 
    mLength = 28420, 
    mFlags = 5
  }, <No data fields>}
	request = {
  mRawPtr = 0x10750d858
}
	channel = {
  mRawPtr = 0x10750d858
}
	rv = 0
	scriptProto = (nsXULPrototypeScript *) 0x1257d6260
	docp = (nsXULDocument **) 0x100118820
	doc = (#11 0x00000001010a546a in nsStreamLoader::OnStopRequest (this=0x1257db190, request=0x10750d858, ctxt=0x0, aStatus=0) at ../../../../netwerk/base/src/nsStreamLoader.cpp:125
	rv = 1
#12 0x000000010116ecb0 in nsHttpChannel::OnStopRequest (this=0x10750d800, request=0x1257b01c0, ctxt=0x0, status=0) at ../../../../netwerk/protocol/http/nsHttpChannel.cpp:4212
	contentComplete = 1
#13 0x0000000101068dc6 in nsInputStreamPump::OnStateStop (this=0x1257b01c0) at ../../../../netwerk/base/src/nsInputStreamPump.cpp:578
No locals.
#14 0x0000000101068ee4 in nsInputStreamPump::OnInputStreamReady (this=0x1257b01c0, stream=0x1257bbec8) at ../../../../netwerk/base/src/nsInputStreamPump.cpp:403
	nextState = 3
#15 0x000000010273c525 in nsInputStreamReadyEvent::Run (this=0x1257bc7d0) at ../../../xpcom/io/nsStreamUtils.cpp:114
No locals.
#16 0x00000001027610e2 in nsThread::ProcessNextEvent (this=0x118603190, mayWait=0, result=0x7fff5fbfc524) at ../../../xpcom/threads/nsThread.cpp:631
	event = {
  mRawPtr = 0x1257bc7d0
}
	notifyGlobalObserver = 1
	obs = {
  mRawPtr = 0x11862bf78
}
	rv = 0
#17 0x00000001026ee00b in NS_ProcessPendingEvents_P (thread=0x118603190, timeout=20) at nsThreadUtils.cpp:195
	processedEvent = 1
	rv = 0
	start = 1343878728
#18 0x00000001024c6732 in nsBaseAppShell::NativeEventCallback (this=0x11862bf70) at ../../../../widget/src/xpwidgets/nsBaseAppShell.cpp:130
	hasPending = 1
	thread = (nsThread *) 0x118603190
	prevBlockNativeEvent = 0
	prevVal = nsBaseAppShell::eEventloopNone
#19 0x00000001024733ec in nsAppShell::ProcessGeckoEvents (aInfo=0x11862bf70) at ../../../../widget/src/cocoa/nsAppShell.mm:424
	self = (nsAppShell *) 0x11862bf70
#20 0x00007fff8227f401 in __CFRunLoopDoSources0 ()
No symbol table info available.
#21 0x00007fff8227d5f9 in __CFRunLoopRun ()
No symbol table info available.
#22 0x00007fff8227cdbf in CFRunLoopRunSpecific ()
No symbol table info available.
#23 0x00007fff857ca74e in RunCurrentEventLoopInMode ()
No symbol table info available.
#24 0x00007fff857ca553 in ReceiveNextEventCommon ()
No symbol table info available.
#25 0x00007fff857ca40c in BlockUntilNextEventMatchingListInMode ()
No symbol table info available.
#26 0x00007fff83c9ceb2 in _DPSNextEvent ()
No symbol table info available.
#27 0x00007fff83c9c801 in -[NSApplication nextEventMatchingMask:untilDate:inMode:dequeue:] ()
No symbol table info available.
#28 0x00007fff83c6268f in -[NSApplication run] ()
No symbol table info available.
#29 0x0000000102472d0a in nsAppShell::Run (this=0x11862bf70) at ../../../../widget/src/cocoa/nsAppShell.mm:771
No locals.
#30 0x00000001021bfda0 in nsAppStartup::Run (this=0x11862be30) at ../../../../toolkit/components/startup/nsAppStartup.cpp:224
	rv = 32767
#31 0x000000010100e50e in XRE_main (argc=6, argv=0x7fff5fbfeb38, aAppData=0x1001189b0) at ../../../toolkit/xre/nsAppRunner.cpp:3557
	appStartup = {
  mRawPtr = 0x11862be30
}
	shuttingDown = 0
	workingDir = {
  mRawPtr = 0x10014f600
}
	event_tracing_running = false
	cmdLine = {
  mRawPtr = 0x106e131f0
}
	xpcom = {
  mServiceManager = 0x118605568, 
  static gNativeAppSupport = 0x1001094b0
}
	prefs = {
  mRawPtr = 0x11861db20
}
	flagFile = {
  mRawPtr = 0x10010a030
}
	appInitiatedRestart = 0
	nativeApp = {
  mRawPtr = 0x1001094b0
}
	startOffline = 0
	profLD = {
  mRawPtr = 0x100109150
}
	fFlagFile = {
  mRawPtr = 0x10010a030
}
	cachesOK = 0
	updRoot = {
  mRawPtr = 0x100118bb0
}
	profD = {
  mRawPtr = 0x100109150
}
	canRun = 1
	persistent = 1
	profileLock = {
  mRawPtr = 0x100109560
}
	profileName = {
  <nsFixedCString> = {
    <nsCString> = {
      <nsACString_internal> = {
        mData = 0x7fff5fbfe060 "", 
        mLength = 0, 
        mFlags = 65553
      }, <No data fields>}, 
    members of nsFixedCString: 
    mFixedCapacity = 63, 
    mFixedBuf = 0x7fff5fbfe060 ""
  }, 
  members of nsCAutoString: 
  mStorage = "\000?_?\000\000??\021\000\001\000\000\000z\016??????p\000\000\000\000\000\000\000??_?\000\000??t\002\001\000\000\000??\021\000\001\000\000\000\000\000\000\000\000\000\000"
}
	version = {
  <nsFixedCString> = {
    <nsCString> = {
      <nsACString_internal> = {
        mData = 0x7fff5fbfe000 "9.0a1_20110909170150/20110909170150", 
        mLength = 35, 
        mFlags = 65553
      }, <No data fields>}, 
    members of nsFixedCString: 
    mFixedCapacity = 63, 
    mFixedBuf = 0x7fff5fbfe000 "9.0a1_20110909170150/20110909170150"
  }, 
  members of nsCAutoString: 
  mStorage = "9.0a1_20110909170150/20110909170150\000\001\000\000\000??\021\000\001\000\000\000??_?\000\000??\001\001\001\000\000"
}
	osABI = {
  <nsCString> = {
    <nsACString_internal> = {
      mData = 0x102f66811 "Darwin_x86_64-gcc3", 
      mLength = 18, 
      mFlags = 1
    }, <No data fields>}, <No data fields>}
	versionOK = 0
	rv = 0
	ar = ARG_NONE
	home = 0x7fff5fbff43b "/Users/ehsanakhgari"
	override = 0x0
	appData = {
  <nsXREAppData> = {
    size = 112, 
    directory = 0x100118bb0, 
    vendor = 0x100118e70 "Mozilla", 
    name = 0x1001187b0 "Firefox", 
    version = 0x1001187c0 "9.0a1", 
    buildID = 0x100118e90 "20110909170150", 
    ID = 0x100118ea0 "{ec8030f7-c20a-464f-9b0e-13a3a9e97384}", 
    copyright = 0x0, 
    flags = 14, 
    xreDirectory = 0x100119020, 
    minVersion = 0x100118ed0 "9.0a1", 
    maxVersion = 0x100118f20 "9.0a1", 
    crashReporterURL = 0x100118c70 "https://crash-reports.mozilla.com/submit?id=ec8030f7-c20a-464f-9b0e-13a3a9e97384&version=9.0a1&buildid=20110909170150", 
    profile = 0x0
  }, <No data fields>}
	log = {<No data fields>}
	dirProvider = (nsXREDirProvider) {
  <nsIDirectoryServiceProvider2> = {
    <nsIDirectoryServiceProvider> = {
      <nsISupports> = {
        _vptr$nsISupports = 0x103bf6070
      }, <No data fields>}, <No data fields>}, 
  <nsIProfileStartup> = {
    <nsISupports> = {
      _vptr$nsISupports = 0x103bf60b8
    }, <No data fields>}, 
  members of nsXREDirProvider: 
  mAppProvider = {
    mRawPtr = 0x0
  }, 
  mGREDir = {
    mRawPtr = 0x100119020
  }, 
  mXULAppDir = {
    mRawPtr = 0x100118bb0
  }, 
  mProfileDir = {
    mRawPtr = 0x100109150
  }, 
  mProfileLocalDir = {
    mRawPtr = 0x100109150
  }, 
  mProfileNotified = 1 '\001', 
  mAppBundleDirectories = {
    <nsCOMArray_base> = {
      mArray = {
        mImpl = 0x0
      }
    }, <No data fields>}, 
  mExtensionDirectories = {
    <nsCOMArray_base> = {
      mArray = {
        mImpl = 0x100134100
      }
    }, <No data fields>}, 
  mThemeDirectories = {
    <nsCOMArray_base> = {
      mArray = {
        mImpl = 0x100134390
      }
    }, <No data fields>}
}
	i = 5
#32 0x0000000100001b66 in do_main (exePath=0x7fff5fbfe700 "/Users/ehsanakhgari/moz/tmp/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/libxpcom.dylib", argc=6, argv=0x7fff5fbfeb38) at ../../../browser/app/nsBrowserApp.cpp:198
	appini = {
  mRawPtr = 0x100118690
}
	rv = 0
	appDataFile = 0x0
	appData = (nsXREAppData *) 0x1001189b0
	result = 1148224
#33 0x0000000100001dcd in main (argc=6, argv=0x7fff5fbfeb38) at ../../../browser/app/nsBrowserApp.cpp:281
	log = {<No data fields>}
	exePath = "/Users/ehsanakhgari/moz/tmp/obj-ff-dbg/dist/NightlyDebug.app/Contents/MacOS/libxpcom.dylib", '\0' <repeats 414 times>, "???_?\000\000\020?_?\000\000\006\003???\000\000@?_?\000\000?&?_?", '\0' <repeats 18 times>, "???_?\000\000P?_?\000\000\000?_?\000\000?\005?_?\000\000??jN\000\000\000\000?\000\a\000?\000\000?\"\000\000"...
	rv = 0
	lastSlash = 0x7fff5fbfe74c "libxpcom.dylib"
	gotCounters = 1
	initialRUsage = {
  ru_utime = {
    tv_sec = 0, 
    tv_usec = 7484
  }, 
  ru_stime = {
    tv_sec = 0, 
    tv_usec = 7242
  }, 
  ru_maxrss = 6041600, 
  ru_ixrss = 0, 
  ru_idrss = 0, 
  ru_isrss = 0, 
  ru_minflt = 2339, 
  ru_majflt = 0, 
  ru_nswap = 0, 
  ru_inblock = 0, 
  ru_oublock = 0, 
  ru_msgsnd = 0, 
  ru_msgrcv = 0, 
  ru_nsignals = 0, 
  ru_nvcsw = 1, 
  ru_nivcsw = 11
}
	result = 0
The script in question is http://mochi.test:8888/tests/SimpleTest/EventUtils.js, FWIW.
So, this test is effectively being skipped in our test suite (bug 686022), and I don't know when this bug was introduced.  But with my patch in that bug, the test will crash even if we're not executing it standalone.
(In reply to Bill McCloskey (:billm) from comment #2)
> How reproducible is this?

100% of the time.  Also, see comment 3 as to why we have not caught this earlier.
Sorry this took so long to get to. I forgot about it at the all-hands.

It looks like this is a content issue. There's a script being compiled in a content compartment and then run in a chrome compartment. The mismatch seems to happen in nsXULDocument::OnStreamComplete, where the script is compiled using the global object mCurrentPrototype->GetScriptGlobalObject() and then run with the global object mScriptGlobalObject.

While talking this over with Luke, he mentioned that we're not supposed to be using XUL from content at all anymore. Maybe this test is just out of date? It makes an enablePrivilege call, which may be bypassing whatever check stops us from executing XUL in content.

I'm really out of my depth here. Blake or Peter, could you look this over?

Note that we have data from crash-stats showing compartment mismatches involving scripts. I'm doubtful that this could be causing that, but perhaps?
Remote XUL has been disabled by default, but it is possible to turn it on by a pref.  We have tons of tests which rely on remote XUL right now.
We still need to keep remote XUL somewhat working. Assuming this assertion only happens for remote XUL, it does mean that your average evil website won't be able to use this compartment mismatch to crash the browser in exploitable ways.

However we still need to worry about legitimate websites which do use XUL and which do have users opting into that XUL use. A crash under those circumstances is just as crappy for the user as any other crash for example.

Additionally we have lots of tests which happen to use remote XUL in order to test aspects of XUL. Those tests many times test features that we rely on in chrome. It just so happened that the test was written using remote XUL.
a potentially sg:critical bug with risk mitigated that this is limited to sites the user has allowed to use XUL.
Assignee: general → nobody
Component: JavaScript Engine → DOM
QA Contact: general → general
Whiteboard: [sg:moderate]
We need to fix the test here. What's happening is that the test (using enablePrivilege("UniversalXPConnect")) is creating a chrome docshell with a content document. In HTML documents, that ends up with a ChromeWindow (in the chrome compartment and everything) whose GetPrincipal() returns a content principal. Because of XUL's additional level of abstraction with the prototype document, we end up actually trying to put objects in the content document (trusting GetPrincipal() to return the right principal) and end up with a compartment mismatch.

Fixing the chrome docshell + content principal problem is hard. The easiest way to fix this bug is to fix the test.
David, this is likely the bug that's causing bug 631289.
Who would be a good owner for this?
Bobby, care to take a look here? I wonder if we could simply prevent ever loading non-chrome in a chrome window, cause that's just not sane IMO. Has anyone spent any time investigating what it would take to pull that off? We can, and should, fix this test as well, but that doesn't necessarily fix any security aspects of this bug.
Assigning to Bobby for now.

Bobby - can you look into this soon or recommend another owner?
Assignee: nobody → bobbyholley+bmo
Blake indicates in comment 9 that it's a lot of work to prevent loading non-chrome in chrome windows. So unless there's a more compelling reason to do it, it's probably not a high priority.

More to the point though, I did some digging and it appears that Neil changed this to a chrome test in late september (bug 659338). This means the enablePrivilege call is gone, meaning the testcase should already be fixed. Indeed, the following runs just fine:

TEST_PATH=layout/xul/base/test/test_resizer.xul make mochitest-chrome

So I'm resolving this bug. Feel free to re-open if you disagree.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.