Closed Bug 916860 Opened 11 years ago Closed 11 years ago

crash in JS_ValueToObject(JSContext*, JS::Value, JSObject**)

Categories

(Core :: DOM: Workers, defect)

Product:
Core
Component:
DOM: Workers
Version:
26 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla27
Tracking Flags:
Tracking Status
firefox25 --- unaffected
firefox26 + fixed
firefox27 --- fixed
firefox-esr17 --- unaffected
firefox-esr24 --- unaffected
b2g18 --- unaffected

People

(Reporter: tracy, Assigned: bzbarsky)

References

Details

(Keywords: crash, csectype-uaf, sec-critical)

Crash Data

Attachments

(1 file)

correlations
5.33 KB, text/plain
Details
Attached file correlations 

    
    

    
  
On a worker, CHECK_REQUEST(cx) is crashing with address 0xdadadada - Marking s-s for now.

There's a bunch of worker stuff in the range, including:

Nikhil Marathe — Bug 901291 - Get WebIDL callbacks working on Workers. r=khuey
Jeff Walden — Bug 897678 - Make worker code stop using propertyops, as a step toward removing propertyops altogether. r=mrbkap
Boris Zbarsky — Bug 914334. Change codegen to reflect EventListener as a WebIDL callback on workers. r=khuey
Mark Hammond — Bug 913950 - close all existing ports on worker termination. r=mixedpuppy
Olli Pettay — Bug 910910 - Enable Event ctors in workers, r=khuey
Group: core-security
Keywords: csec-uaf, 
          
            sec-critical

    
    

    
  
The crash mentioned in comment 0 has this in it:

7|0|mozjs.dll|JS_ValueToObject(JSContext *,JS::Value,JSObject * *)|hg:hg.mozilla.org/mozilla-central:js/src/jsapi.cpp:53d5e43e23cc|372|0x31 37|1|xul.dll|mozilla::dom::workers::EventListenerManager::DispatchEvent(JSContext *,mozilla::dom::workers::EventTarget const &,JSObject *,mozilla::ErrorResult &)|hg:hg.mozilla.org/mozilla-central:dom/workers/EventListenerManager.cpp:53d5e43e23cc|390|0x2a 37|2|xul.dll|mozilla::dom::EventTargetBinding_workers::dispatchEvent|hg:hg.mozilla.org/mozilla-central:obj-firefox/dom/bindings/EventTargetBinding.cpp:53d5e43e23cc|803|0x25 37|3|xul.dll|mozilla::dom::EventTargetBinding_workers::genericMethod|hg:hg.mozilla.org/mozilla-central:obj-firefox/dom/bindings/EventTargetBinding.cpp:53d5e43e23cc|952|0x23 37|4|mozjs.dll|js::Invoke(JSContext *,JS::Value const &,JS::Value const &,unsigned int,JS::Value *,JS::MutableHandle<JS::Value>)|hg:hg.mozilla.org/mozilla-central:js/src/vm/Interpreter.cpp:53d5e43e23cc|528|0x2ae

which is suggestive of the event-mechanics-touching changes in comment 3.

    
    

    
  
Bug 914334 seems like the most likely candidate here.

Looks like we're dying inside a compartment check, not JS_CHECK_RECURSION.

    
    

    
  
> 390     if (!JS_ValueToObject(aCx, listenerVal, listenerObj.address())) {

Nothing says aCx and listenerVal are same-compartment.  I agree that bug 914334 could have caused this, maybe, depending on what exactly happened before with the XPCWrappedJS bits...

Kyle, you want me to take this, or do you want to?
Assignee: general → nobody
Component: JavaScript Engine → DOM: Workers
Flags: needinfo?(khuey)

    
  
Blocks: 917594

    
  
Blocks: 917599

    
    

    
  
Kyle points out worker should only have one compartment....  Then what gives?

    
    

    
  
(In reply to Boris Zbarsky [:bz] from comment #7)
> Kyle points out worker should only have one compartment....  Then what gives?

From what I understand, we have 3 compartments in a worker.  One for the atom compartment, one for the self-hosted code, and one for the user code.

    
    

    
  
Hmm.  Which one does workers::GetCurrentThreadJSContext return?

    
    

    
  
But presumably WorkerRunnable::Run would get that same thing?

Though note that it sometimes uses ParentJSContext.  Could we be in that case?  Kyle?

    
  
Depends on: 918450

    
    

    
  
I believe the patch in bug 918450 will fix this.

    
    

    
  
Is this fixed now that bug 918450 is fixed?
Flags: needinfo?(twalker)

    
    

    
  
Volume peaked on 20130918. But there continues to be enough crashes occurring with this signature to keep it in the top 5 crashers over the last 3 days of data.
Flags: needinfo?(twalker)

    
    

    
  
Hmm.  The fix for bug 918450 would first show up in a 2013-09-21 m-c nightly.  It hasn't landed on Aurora 26 yet.

Looking at only Nightly 27 crashes, I see no crashes in a 2013-09-21 nightly or later.  So I claim this is fixed.  We just need to land bug 918450 on Aurora.

    
  
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED

    
    

    
  
Ah, it just landed on Aurora.  So we should look at tomorrow's nightlies.

    
    

    
  
Cool! Yes, the volume since the 21st is on Aurora.  No crashes on Nightly in the same time frame.
Status: RESOLVED → VERIFIED
Assignee: nobody → bzbarsky

          status-firefox26:
          affectedfixed

          status-firefox27:
          --- → fixed
Target Milestone: --- → mozilla27
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: