"ASSERTION: This is not supposed to fail!: 'Error'" with nearNativeStackLimit

RESOLVED FIXED

Status

()

Core
DOM
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

({assertion, sec-moderate, testcase})

Trunk
x86_64
Mac OS X
assertion, sec-moderate, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox-esr31 wontfix, b2g-v2.2 unaffected)

Details

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 605192 [details]
testcase

###!!! ASSERTION: Uh, mDocument doesn't match the current inner window document!: '!GetCurrentInnerWindow() || GetCurrentInnerWindow()->GetExtantDocument() == mDocument', file dom/base/nsGlobalWindow.cpp, line 1888

And during shutdown:

###!!! ASSERTION: scope has non-empty map: '0 == mMainThreadWrappedNativeProtoMap->Count()', file js/xpconnect/src/XPCWrappedNativeScope.cpp, line 287

Also, there's a leak of XPCNativeScriptableInfo, XPCWrappedNativeProto, and nsDOMClassInfo.
(Reporter)

Comment 1

6 years ago
Created attachment 605193 [details]
stack trace
(Reporter)

Comment 2

6 years ago
I tested with a 64-bit Mac debug build from Tinderbox. 

https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1331584352/

To reproduce on another build, you might need to tweak the numeric argument to nearNativeStackLimit, fix bug 735081, or fix bug 735082.
Is the first assertion the same thing as bug 717488? or an unrelated way of triggering that warning?  The shutdown assert doesn't seem like a security issue, more of a leak.
(Reporter)

Comment 4

6 years ago
Created attachment 616568 [details]
testcase 2
The first test case (and the second, with the nearNativeStackLimit changed to 4) now produce this:

###!!! ASSERTION: This is not supposed to fail!: 'Error', file /Users/amccreight/mz/cent3/js/xpconnect/src/nsXPConnect.cpp, line 996
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /Users/amccreight/mz/cent3/dom/base/nsGlobalWindow.cpp, line 1686
###!!! ASSERTION: Failed to get script global and holder: 'NS_SUCCEEDED(rv) && newInnerWindow->mJSObject && mInnerWindowHolder', file /Users/amccreight/mz/cent3/dom/base/nsGlobalWindow.cpp, line 1884
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /Users/amccreight/mz/cent3/dom/base/nsGlobalWindow.cpp, line 1890
]]]]
++DOMWINDOW == 20 (0x11bc39c80) [serial = 20] [outer = 0x126c45000]
WARNING: window not set for document!: file /Users/amccreight/mz/cent3/layout/base/nsDocumentViewer.cpp, line 1258
Segmentation fault

It looks like what happens is that CreateNativeGlobalForInner fails due to hitting JS_CHECK_RECURSION in JSCompartment::wrap, then somehow we end up in SetNewDocument in the reUseInnerWindow case with currentInner equal to NULL, which this code does not really handle (there is a null check in one place oddly enough) and we get a null deref.

That seems much less scary than the original assertion, and seems more like a DOM bug.  I suppose by tweaking things more it is possible to recreate the original assertion, but I tried a handful of values and wasn't able to.
Summary: "ASSERTION: scope has non-empty map" with nearNativeStackLimit → "ASSERTION: This is not supposed to fail!: 'Error'" with nearNativeStackLimit
Component: XPConnect → DOM
Keywords: sec-moderate
Depends on: 732665
Jesse, the dependent bug has now been fixed. Can you still reproduce this?
Flags: needinfo?(jruderman)

Comment 7

4 years ago
(I couldn't get any relevant assertions when I was testing this earlier today.)
Ok, I'm going to call this fixed then.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(jruderman)
Resolution: --- → FIXED
status-firefox-esr31: --- → wontfix
status-b2g-v2.2: --- → unaffected

Updated

3 years ago
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.