Closed
Bug 840098
Opened 12 years ago
Closed 12 years ago
"ASSERTION: Unexpected aDocument" after adopting content from XBL
Categories
(Core :: XBL, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(5 keywords, Whiteboard: [land test on 8/5][adv-main22+][adv-esr1707+])
Attachments
(5 files, 1 obsolete file)
|
318 bytes,
text/html
|
Details | |
|
9.55 KB,
text/plain
|
Details | |
|
2.97 KB,
patch
|
bzbarsky
:
review+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
|
1.91 KB,
patch
|
mrbkap
:
review+
bajaj
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
|
1.88 KB,
patch
|
bajaj
:
approval-mozilla-esr17+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: Unexpected aDocument: 'aDocument == mDocument', file layout/base/nsPresShell.cpp, line 4073
###!!! ASSERTION: Should be in an update while creating frames: 'mUpdateCount != 0', file layout/base/nsCSSFrameConstructor.cpp, line 6532
And a memory leak.
(Security-sensitive because the second assertion has appeared in security bugs.)
|
Reporter | |
Comment 1•12 years ago
|
||
|
||
Comment 2•12 years ago
|
||
Jesse, is this a regression from bug 821850? Does it depend on the pref being flipped?
|
|
Reporter | |
Comment 3•12 years ago
|
||
This happens with a clean profile / default prefs. I don't know whether it's a regression.
|
|
||
Comment 4•12 years ago
|
||
Ok, I think this is unrelated to my XBL stuff. Though it sounds somewhat like what blake was looking at last week. Blake, is this related?
Flags: needinfo?(mrbkap)
|
||
Comment 5•12 years ago
|
||
David, we're unsure how to sec- rate this one. How gloomy is the nsCSSFrameConstructor.cpp assert?
Flags: needinfo?(dbaron)
Both assertions sound like things have gone pretty wrong in a way that I could imagine being exploitable, but I can't really make a useful guess about the likelihood/danger off the top of my head. I think it's one of those things where we'll know more once we figure out the fix.
Flags: needinfo?(dbaron)
|
||
Comment 7•12 years ago
|
||
OK, guessing sec-high to split the difference between critical and moderate.
Keywords: sec-high
|
Assignee | |
Comment 9•12 years ago
|
||
It's unlikely that this is directly related to what I was looking at, but I can definitely investigate here.
Assignee: nobody → mrbkap
Flags: needinfo?(mrbkap)
|
|
Assignee | |
Comment 10•12 years ago
|
||
The root of an anonymous subtree is special in that it is not in its parent's child list. Moving such a root out from under its shadow parent confuses the XBL code (and possibly also the BindToTree code). This patch fixes adoptNode to follow nsINode::ReplaceOrInsertBefore's behavior by making sure we don't move the root of an anonymous subtree out from under it.
Attachment #728488 -
Flags: review?(bzbarsky)
|
||
Comment 11•12 years ago
|
||
Comment on attachment 728488 [details] [diff] [review]
Proposed fix
r=me
Attachment #728488 -
Flags: review?(bzbarsky) → review+
|
|
Assignee | |
Comment 12•12 years ago
|
||
Comment on attachment 728488 [details] [diff] [review]
Proposed fix
[Security approval request comment]
How easily could an exploit be constructed based on the patch?
The patch points directly at the problem (calling adopt node on the root of an anonymous subtree causes problems). However, I don't think that anybody actually knows how to exploit this. We know that it's dangerous, so we're treating it as sec-high, but coming up with an actual exploit is likely many hours worth of work.
Which older supported branches are affected by this flaw?
Some digging around showed that bug 650493 is at fault here (it removed an implicit check for the adopted node being in the child list of the parent).
How likely is this patch to cause regressions; how much testing does it need?
This is extremely unlikely to cause regressions. It introduces an error check that bails out only in cases that would cause this bug.
Attachment #728488 -
Flags: sec-approval?
|
||
Comment 13•12 years ago
|
||
Comment on attachment 728488 [details] [diff] [review]
Proposed fix
sec-approval+ but only for a checkin 4/9 or after.
Attachment #728488 -
Flags: sec-approval? → sec-approval+
|
|
Assignee | |
Comment 14•12 years ago
|
||
This makes life a little clearer for the future with an additional assertion (r=sicking if anybody's tracking it).
Attachment #736049 -
Flags: review+
|
|
Assignee | |
Updated•12 years ago
|
Keywords: checkin-needed
|
||
Comment 15•12 years ago
|
||
Keywords: checkin-needed
|
|
||
Comment 16•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox23:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla23
|
|
||
Comment 17•12 years ago
|
||
Late in the game to get this into Firefox 21, let's just wait for 22.
Blocks: 650493
status-b2g18:
--- → affected
status-firefox21:
--- → wontfix
status-firefox22:
--- → affected
status-firefox-esr17:
--- → affected
tracking-firefox21:
--- → -
tracking-firefox22:
--- → +
tracking-firefox23:
--- → +
tracking-firefox-esr17:
--- → 22+
Keywords: regression
|
|
Assignee | |
Comment 19•12 years ago
|
||
Comment on attachment 736049 [details] [diff] [review]
For checkin
Yes.
Attachment #736049 -
Flags: approval-mozilla-beta?
Flags: needinfo?(mrbkap)
|
||
Updated•12 years ago
|
Attachment #736049 -
Flags: approval-mozilla-beta? → approval-mozilla-beta+
|
|
||
Comment 20•12 years ago
|
||
Can we get the esr patch as well ?
|
|
||
Comment 21•12 years ago
|
||
status-b2g18-v1.0.0:
--- → wontfix
status-b2g18-v1.0.1:
--- → affected
|
|
Assignee | |
Comment 22•12 years ago
|
||
Attachment #753002 -
Flags: approval-mozilla-esr17?
|
|
Assignee | |
Comment 23•12 years ago
|
||
Sorry, the previous esr17 patch didn't compile.
Attachment #753002 -
Attachment is obsolete: true
Attachment #753002 -
Flags: approval-mozilla-esr17?
Attachment #753041 -
Flags: approval-mozilla-esr17?
|
||
Comment 24•12 years ago
|
||
Verified as fixed on the 05/29 beta debug build on Mac OSX 10.7.5. No assertions are displayed with the attached test case anymore and the test case is displayed fine.
|
|
||
Updated•11 years ago
|
Attachment #753041 -
Flags: approval-mozilla-esr17? → approval-mozilla-esr17+
|
|
||
Updated•11 years ago
|
Keywords: checkin-needed
|
|
||
Comment 25•11 years ago
|
||
|
||
Comment 26•11 years ago
|
||
Confirmed assertion 17.0.6esr.
Confirmed fixed 17esr 2013-06-18.
Confirmed fixed FF23 2013-06-14.
Status: RESOLVED → VERIFIED
|
|
||
Updated•11 years ago
|
Whiteboard: [land test on 8/5]
|
|
||
Updated•11 years ago
|
Whiteboard: [land test on 8/5] → [land test on 8/5][adv-main22+][adv-esr1707+]
|
|
||
Comment 27•11 years ago
|
||
This doesn't seem to have made it to b2g18, although that's marked "affected".
tracking-b2g18:
--- → ?
|
|
||
Comment 28•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g18/rev/9d624187768c
a=bajaj over email. Did this test ever land? Looks like it was supposed to back in August.
|
|
||
Comment 29•11 years ago
|
||
|
|
Assignee | |
Comment 30•11 years ago
|
||
Flags: needinfo?(mrbkap)
|
|
Assignee | |
Comment 31•11 years ago
|
||
...and that was the wrong testcase, oops.
|
|
Assignee | |
Comment 32•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Flags: in-testsuite? → in-testsuite+
|
||
Comment 33•11 years ago
|
||
fixed on central https://hg.mozilla.org/mozilla-central/rev/a301aa4f3e43
|
|
||
Updated•10 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•