Closed Bug 736537 Opened 8 years ago Closed 7 years ago

###!!! ASSERTION: Uh, cx is not the current JS context!: 'cx == GetCurrentJSContext()' setting location.href in scratchpad

Categories

(Core :: XPConnect, defect)

defect
Not set

Tracking

()

RESOLVED FIXED
Tracking Status
firefox17 --- fixed
firefox18 --- fixed
firefox19 --- fixed
firefox-esr10 17+ fixed

People

(Reporter: khuey, Unassigned)

References

Details

(Keywords: sec-moderate, Whiteboard: [sg:moderate][adv-track-main17+][adv-track-esr17+] possibly same issue as bug 747607)

Setting location.href in Scratchpad asserts with

###!!! ASSERTION: Uh, cx is not the current JS context!: 'cx == GetCurrentJSContext()', file c:/dev/mozilla-central/caps/src/nsScriptSecurityManager.cpp, line 396

Filing as security-sensitive just in case.

>	xul.dll!NS_DebugBreak_P(unsigned int aSeverity, const char * aStr, const char * aExpr, const char * aFile, int aLine)  Line 264	C++
 	xul.dll!nsScriptSecurityManager::GetCxSubjectPrincipalAndFrame(JSContext * cx, JSStackFrame * * fp)  Line 396 + 0x28 bytes	C++
 	xul.dll!nsLocation::CheckURL(nsIURI * aURI, nsIDocShellLoadInfo * * aLoadInfo)  Line 242 + 0x18 bytes	C++
 	xul.dll!nsLocation::SetURI(nsIURI * aURI, bool aReplace)  Line 354 + 0x1c bytes	C++
 	xul.dll!nsLocation::SetHrefWithBase(const nsAString_internal & aHref, nsIURI * aBase, bool aReplace)  Line 646 + 0x19 bytes	C++
 	xul.dll!nsLocation::SetHrefWithContext(JSContext * cx, const nsAString_internal & aHref, bool aReplace)  Line 593 + 0x10 bytes	C++
 	xul.dll!nsLocation::SetHref(const nsAString_internal & aHref)  Line 562 + 0x14 bytes	C++
 	xul.dll!NS_InvokeByIndex_P(nsISupports * that, unsigned int methodIndex, unsigned int paramCount, nsXPTCVariant * params)  Line 103	C++
 	xul.dll!CallMethodHelper::Invoke()  Line 3021 + 0x11 bytes	C++
 	xul.dll!CallMethodHelper::Call()  Line 2354	C++
 	xul.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx, XPCWrappedNative::CallMode mode)  Line 2318 + 0x13 bytes	C++
 	xul.dll!XPC_WN_GetterSetter(JSContext * cx, unsigned int argc, JS::Value * vp)  Line 1579 + 0xe bytes	C++
 	mozjs.dll!js::CallJSNative(JSContext * cx, int (JSContext *, unsigned int, JS::Value *)* native, const js::CallArgs & args)  Line 314 + 0xf bytes	C++
 	mozjs.dll!js::InvokeKernel(JSContext * cx, js::CallArgs args, js::MaybeConstruct construct)  Line 513 + 0x11 bytes	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, JS::Value * argv, JS::Value * rval)  Line 560 + 0x23 bytes	C++
 	mozjs.dll!js::InvokeGetterOrSetter(JSContext * cx, JSObject * obj, const JS::Value & fval, unsigned int argc, JS::Value * argv, JS::Value * rval)  Line 634 + 0x44 bytes	C++
 	mozjs.dll!js::Shape::set(JSContext * cx, JSObject * obj, bool strict, JS::Value * vp)  Line 311 + 0x18 bytes	C++
 	mozjs.dll!js_SetPropertyHelper(JSContext * cx, JSObject * obj, jsid id, unsigned int defineHow, JS::Value * vp, int strict)  Line 5460 + 0x18 bytes	C++
 	mozjs.dll!JSObject::setGeneric(JSContext * cx, jsid id, JS::Value * vp, int strict)  Line 172 + 0x18 bytes	C++
 	mozjs.dll!js::Wrapper::set(JSContext * cx, JSObject * wrapper, JSObject * receiver, jsid id, bool strict, JS::Value * vp)  Line 234 + 0x1b bytes	C++
 	mozjs.dll!js::CrossCompartmentWrapper::set(JSContext * cx, JSObject * wrapper, JSObject * receiver, jsid id, bool strict, JS::Value * vp)  Line 630 + 0x6f bytes	C++
 	mozjs.dll!js::Proxy::set(JSContext * cx, JSObject * proxy, JSObject * receiver, jsid id, bool strict, JS::Value * vp)  Line 885 + 0x2a bytes	C++
 	mozjs.dll!proxy_SetGeneric(JSContext * cx, JSObject * obj, jsid id, JS::Value * vp, int strict)  Line 1122 + 0x21 bytes	C++
 	mozjs.dll!JSObject::nonNativeSetProperty(JSContext * cx, jsid id, JS::Value * vp, int strict)  Line 3104 + 0x36 bytes	C++
 	mozjs.dll!JSObject::setGeneric(JSContext * cx, jsid id, JS::Value * vp, int strict)  Line 171 + 0x17 bytes	C++
 	mozjs.dll!js::SetPropertyOperation(JSContext * cx, unsigned char * pc, const JS::Value & lval, const JS::Value & rval)  Line 357 + 0x17 bytes	C++
 	mozjs.dll!js::Interpret(JSContext * cx, js::StackFrame * entryFrame, js::InterpMode interpMode)  Line 2591 + 0x12 bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx, JSScript * script, js::StackFrame * fp)  Line 469 + 0x7 bytes	C++
 	mozjs.dll!js::ExecuteKernel(JSContext * cx, JSScript * script, JSObject & scopeChain, const JS::Value & thisv, js::ExecuteType type, js::StackFrame * evalInFrame, JS::Value * result)  Line 667 + 0xb bytes	C++
 	mozjs.dll!js::Execute(JSContext * cx, JSScript * script, JSObject & scopeChainArg, JS::Value * rval)  Line 709 + 0x1a bytes	C++
 	mozjs.dll!EvaluateUCScriptForPrincipalsCommon(JSContext * cx, JSObject * obj, JSPrincipals * principals, JSPrincipals * originPrincipals, const wchar_t * chars, unsigned int length, const char * filename, unsigned int lineno, JS::Value * rval, JSVersion compileVersion)  Line 5266 + 0xc bytes	C++
 	mozjs.dll!JS_EvaluateUCScriptForPrincipals(JSContext * cx, JSObject * obj, JSPrincipals * principals, const wchar_t * chars, unsigned int length, const char * filename, unsigned int lineno, JS::Value * rval)  Line 5277 + 0x2f bytes	C++
 	xul.dll!xpc_EvalInSandbox(JSContext * cx, JSObject * sandbox, const nsAString_internal & source, const char * filename, int lineNo, JSVersion jsVersion, bool returnStringOnly, JS::Value * rval)  Line 3501 + 0x76 bytes	C++
 	xul.dll!nsXPCComponents_Utils::EvalInSandbox(const nsAString_internal & source, const JS::Value & sandboxVal, const JS::Value & version, const JS::Value & filenameVal, int lineNumber, JSContext * cx, unsigned char optionalArgc, JS::Value * retval)  Line 3402 + 0x28 bytes	C++
 	xul.dll!NS_InvokeByIndex_P(nsISupports * that, unsigned int methodIndex, unsigned int paramCount, nsXPTCVariant * params)  Line 103	C++
 	xul.dll!CallMethodHelper::Invoke()  Line 3021 + 0x11 bytes	C++
 	xul.dll!CallMethodHelper::Call()  Line 2354	C++
 	xul.dll!XPCWrappedNative::CallMethod(XPCCallContext & ccx, XPCWrappedNative::CallMode mode)  Line 2318 + 0x13 bytes	C++
 	xul.dll!XPC_WN_CallMethod(JSContext * cx, unsigned int argc, JS::Value * vp)  Line 1539 + 0xd bytes	C++
 	mozjs.dll!js::CallJSNative(JSContext * cx, int (JSContext *, unsigned int, JS::Value *)* native, const js::CallArgs & args)  Line 314 + 0xf bytes	C++
 	mozjs.dll!js::InvokeKernel(JSContext * cx, js::CallArgs args, js::MaybeConstruct construct)  Line 513 + 0x11 bytes	C++
 	mozjs.dll!js::Interpret(JSContext * cx, js::StackFrame * entryFrame, js::InterpMode interpMode)  Line 2684 + 0x27 bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx, JSScript * script, js::StackFrame * fp)  Line 469 + 0x7 bytes	C++
 	mozjs.dll!js::InvokeKernel(JSContext * cx, js::CallArgs args, js::MaybeConstruct construct)  Line 531	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const JS::Value & thisv, const JS::Value & fval, unsigned int argc, JS::Value * argv, JS::Value * rval)  Line 560 + 0x23 bytes	C++
 	mozjs.dll!JS_CallFunctionValue(JSContext * cx, JSObject * obj, JS::Value fval, unsigned int argc, JS::Value * argv, JS::Value * rval)  Line 5389 + 0x24 bytes	C++
 	xul.dll!nsJSContext::CallEventHandler(nsISupports * aTarget, JSObject * aScope, JSObject * aHandler, nsIArray * aargv, nsIVariant * * arv)  Line 1880 + 0x2e bytes	C++
 	xul.dll!nsJSEventListener::HandleEvent(nsIDOMEvent * aEvent)  Line 239 + 0x43 bytes	C++
 	xul.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct, nsIDOMEventListener * aListener, nsIDOMEvent * aDOMEvent, nsIDOMEventTarget * aCurrentTarget, unsigned int aPhaseFlags, nsCxPusher * aPusher)  Line 744	C++
 	xul.dll!nsEventListenerManager::HandleEventInternal(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher)  Line 800 + 0x1a bytes	C++
 	xul.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher)  Line 169 + 0x18 bytes	C++
 	xul.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, bool aMayHaveNewListenerManagers, nsCxPusher * aPusher)  Line 216	C++
 	xul.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, nsDispatchingCallback * aCallback, bool aMayHaveNewListenerManagers, nsCxPusher * aPusher)  Line 349	C++
 	xul.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, nsDispatchingCallback * aCallback, nsCOMArray<nsIDOMEventTarget> * aTargets)  Line 681 + 0x16 bytes	C++
 	xul.dll!nsEventDispatcher::DispatchDOMEvent(nsISupports * aTarget, nsEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus)  Line 744 + 0x14 bytes	C++
 	xul.dll!nsINode::DispatchEvent(nsIDOMEvent * aEvent, bool * aRetVal)  Line 1175	C++
 	xul.dll!nsContentUtils::DispatchXULCommand(nsIContent * aTarget, bool aTrusted, nsIDOMEvent * aSourceEvent, nsIPresShell * aShell, bool aCtrl, bool aAlt, bool aShift, bool aMeta)  Line 5793 + 0x15 bytes	C++
 	xul.dll!nsXULElement::PreHandleEvent(nsEventChainPreVisitor & aVisitor)  Line 1694 + 0x2c bytes	C++
 	xul.dll!nsEventTargetChainItem::PreHandleEvent(nsEventChainPreVisitor & aVisitor)  Line 276 + 0xf bytes	C++
 	xul.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, nsDispatchingCallback * aCallback, nsCOMArray<nsIDOMEventTarget> * aTargets)  Line 628	C++
 	xul.dll!nsEventDispatcher::DispatchDOMEvent(nsISupports * aTarget, nsEvent * aEvent, nsIDOMEvent * aDOMEvent, nsPresContext * aPresContext, nsEventStatus * aEventStatus)  Line 744 + 0x14 bytes	C++
 	xul.dll!PresShell::HandleDOMEventWithTarget(nsIContent * aTargetContent, nsIDOMEvent * aEvent, nsEventStatus * aStatus)  Line 6739 + 0x12 bytes	C++
 	xul.dll!nsContentUtils::DispatchXULCommand(nsIContent * aTarget, bool aTrusted, nsIDOMEvent * aSourceEvent, nsIPresShell * aShell, bool aCtrl, bool aAlt, bool aShift, bool aMeta)  Line 5787 + 0x14 bytes	C++
 	xul.dll!nsXULMenuCommandEvent::Run()  Line 2362 + 0x25 bytes	C++
 	xul.dll!nsThread::ProcessNextEvent(bool mayWait, bool * result)  Line 657 + 0xe bytes	C++
 	xul.dll!NS_ProcessNextEvent_P(nsIThread * thread, bool mayWait)  Line 245 + 0xd bytes	C++
Same happens in the Web Console too.
I'm not too worried about attacks via Scratchpad or web console, but might indicate a problem that could be abused from regular content. Or maybe it's an evalInSandbox() problem that could be abused against various add-ons.
most-likely it's an evalInSandbox problem. Does this need security status?
It's a potential security problem, yes, because code relies on evalInSandbox to make things safe and could be attacked through it (mostly add-ons I would think).
Whiteboard: [sg:moderate]
I no longer get the assert -- instead I get an error and cannot set location.href or document.location from the Scratchpad using a Mac build from https://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012-10-12-mozilla-central-debug/

Has that been true for a while, or is it possible it was broken in some of the recent location changes?
Hm, works fine in an Opt nightly from the day before (Oct 11). Will try a 10-12 Opt nightly to see if the problem is with the 12th or with debug.
Opt 2012-10-12 nightly is broken too... I'll file a separate regression bug.
In the 2012-10-11 nightly where Scratchpad still works I still see the assertion symptoms of this bug.

Filed bug 801241 on the Scratchpad problem
Can you confirm that the new protection code does not negatively affect the evalInSandbox for ScratchPad in general or this bug specifically?
Flags: needinfo?(bobbyholley+bmo)
(In reply to Curtis Koenig [:curtisk] from comment #9)
> Can you confirm that the new protection code does not negatively affect the
> evalInSandbox for ScratchPad in general or this bug specifically?

I don't understand this question.
Flags: needinfo?(bobbyholley+bmo)
We are evaluating bugs for inclusion into 16.0.2 and dveditz wanted to confirm that the new code to counter the latest .location issue does not break or affect the evalInSandbox functions that Scratchpad uses. I believe the crux of the question is this: is this bug caused by the new .location code or is this something else?
Flags: needinfo?(bobbyholley+bmo)
(In reply to Curtis Koenig [:curtisk] from comment #11)
> I believe
> the crux of the question is this: is this bug caused by the new .location
> code or is this something else?

This bug was filed in march, so no.

My guess would be that this is bug 747607. I'm going to put together patches for that now.
Flags: needinfo?(bobbyholley+bmo)
Dan, I believe this clears up the question for us. IMO this should not be pushed for 16.0.2, do you agree?
Flags: needinfo?(dveditz)
Flags: needinfo?(dveditz)
Whiteboard: [sg:moderate] → [sg:moderate] possibly same issue as bug 747607
Bobby, did bug 747607 fix this one too?
(In reply to Olli Pettay [:smaug] from comment #14)
> Bobby, did bug 747607 fix this one too?

I'd think so. Kyle, can you confirm?
Flags: needinfo?(khuey)
Well nsScriptSecurityManager::GetCxSubjectPrincipalAndFrame doesn't exist any more so clearly we can't hit an assertion in it.

I can't confirm that we actually fixed the underlying issue (if any even existed to begin with) but certainly the assertion no longer fires (and running the steps from comment 0 doesn't trigger any new assertions).
Flags: needinfo?(khuey)
Ah, right. Yeah, this should be fixed then.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Whiteboard: [sg:moderate] possibly same issue as bug 747607 → [sg:moderate][adv-track-main17+][adv-track-esr17+] possibly same issue as bug 747607
Group: core-security
You need to log in before you can comment on or make changes to this bug.