Closed
Bug 732870
Opened 13 years ago
Closed 13 years ago
"ASSERTION: Weird scope returned" with document.write twice, dataset, adoptNode
Categories
(Core :: XPConnect, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: bholley)
Details
(Keywords: assertion, sec-high, testcase, Whiteboard: [fuzzblocker:compartment-mismatch][advisory-tracking+])
Attachments
(5 files, 1 obsolete file)
|
400 bytes,
text/html
|
Details | |
|
2.64 KB,
text/plain
|
Details | |
|
357 bytes,
text/html
|
Details | |
|
27.45 KB,
text/plain
|
Details | |
|
2.54 KB,
patch
|
peterv
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: Weird scope returned: 'betterScope == newScope', file js/xpconnect/src/nsXPConnect.cpp, line 1771
(Previous episodes: bug 716383, bug 731471.)
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
Still affects 16.
|
|
Reporter | |
Comment 3•13 years ago
|
||
Now it also triggers:
Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:237
|
|
Reporter | |
Comment 4•13 years ago
|
||
|
|
Reporter | |
Comment 5•13 years ago
|
||
|
Assignee | |
Comment 6•13 years ago
|
||
I'll try to take a look at this.
Assignee: nobody → bobbyholley+bmo
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [fuzzblocker:compartment-mismatch]
|
|
Assignee | |
Comment 7•13 years ago
|
||
So the issue here is that nsDOMStringMapSH::PreCreate uses its ownerDocument to find the parent, but requests to be parented directly to the window. This breaks our orphan detection over in bug 751995, because the wrapper isn't orphaned: It's still in the scope of the window, which is its parent. But since PreCreate finds the window via the document (which has moved), calling PreCreate again will give a different answer.
I don't see any obvious reason why nsDOMStringMap wrappers can't just be parented to the document, like Node. I've got a patch to do this that I'll upload and pushed to try.
|
|
Assignee | |
Comment 8•13 years ago
|
||
|
|
Assignee | |
Comment 9•13 years ago
|
||
Pushed to try: https://tbpl.mozilla.org/?tree=Try&rev=dd59a366d436
|
|
Assignee | |
Updated•13 years ago
|
Attachment #634325 -
Flags: review?(peterv)
|
||
Updated•13 years ago
|
Attachment #634325 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 10•13 years ago
|
||
Arg, this wasn't quite right. The crashtest is non-deterministic (since it depends the order in which wrappers are reparented), so I didn't realize that this wasn't fixed in all cases.
The issue here was that nsDOMStringMap::PreCreate actually finds its document via its associated element. And in this case, the element gets adopted into another document. Our orphan fixup code is supposed to detect when the parent moves, but in this case the parent (the document) didn't move.
So I think we should actually use the element as the parent. Attaching a patch that does that.
Attachment #634325 -
Attachment is obsolete: true
Attachment #634343 -
Flags: review?(peterv)
|
|
Assignee | |
Comment 11•13 years ago
|
||
Repushed to try: https://tbpl.mozilla.org/?tree=Try&rev=69c4caecc2de
|
|
Reporter | |
Comment 12•13 years ago
|
||
Can the non-deterministic crashtest be turned into two deterministic crashtests?
|
|
Assignee | |
Comment 13•13 years ago
|
||
(In reply to Jesse Ruderman from comment #12)
> Can the non-deterministic crashtest be turned into two deterministic
> crashtests?
I played around with it a bit just now, but I don't think there's a good way.
More to the point, it's only non-deterministic if we parent it to the document (my v1 patch, which we're not doing). It's deterministic against trunk.
|
|
||
Updated•13 years ago
|
Attachment #634343 -
Flags: review?(peterv) → review+
|
|
Assignee | |
Comment 14•13 years ago
|
||
|
||
Comment 15•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
status-firefox16:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
|
||
Comment 16•13 years ago
|
||
The code being patched looks like it is in ESR, but it also might be fallout from cpg which wouldn't affect ESR.
Does it?
status-firefox-esr10:
--- → ?
tracking-firefox-esr10:
--- → ?
tracking-firefox16:
--- → +
Keywords: sec-high
|
|
Assignee | |
Comment 17•13 years ago
|
||
This is basically just patching an edge case in the fix from bug 751995. Same issue.
|
|
||
Updated•13 years ago
|
status-firefox14:
--- → affected
status-firefox15:
--- → affected
tracking-firefox14:
--- → +
tracking-firefox15:
--- → +
|
|
||
Comment 18•12 years ago
|
||
Bug 751995 is fixing a CPG regression, so it'd be nice to fix this in the release we landed CPG. Please request Aurora approval to land this for Firefox 15.
|
|
Assignee | |
Comment 19•12 years ago
|
||
Comment on attachment 634343 [details] [diff] [review]
Have nsDOMStringMapSH::PreCreate use the element as its parent, rather than the window. v2
Per comment 18.
Attachment #634343 -
Flags: approval-mozilla-aurora?
|
|
Assignee | |
Comment 20•12 years ago
|
||
Bug caused by (feature/regressing bug #): CPG
User impact if declined: Potential security exploits.
Testing completed (on m-c, etc.): Baked on m-c for quite some time.
Risk to taking this patch (and alternatives if risky): not risky.
String or UUID changes made by this patch: None
|
|
||
Updated•12 years ago
|
|
||
Comment 21•12 years ago
|
||
Comment on attachment 634343 [details] [diff] [review]
Have nsDOMStringMapSH::PreCreate use the element as its parent, rather than the window. v2
[Triage Comment]
Low risk fix for a new sg:high regression in FF15. Approved for Aurora 15.
Attachment #634343 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 22•12 years ago
|
||
|
||
Updated•12 years ago
|
Whiteboard: [fuzzblocker:compartment-mismatch] → [fuzzblocker:compartment-mismatch][advisory-tracking+]
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•