Closed
Bug 390626
Opened 17 years ago
Closed 17 years ago
Crash due to too much recursion in XPCWrappedNative::GetWrappedNativeOfJSObject
Categories
(Core :: XPConnect, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: crash, regression, testcase)
Attachments
(2 files, 3 obsolete files)
|
(deleted),
text/html
|
Details | |
|
(deleted),
patch
|
mrbkap
:
review+
jst
:
superreview+
|
Details | Diff | Splinter Review |
This crashes Firefox (Mac trunk debug, just updated):
function boom()
{
var cdp = document.body.compareDocumentPosition;
var ew = eval(window); // This creates a cross-origin wrapper!!!
window.__proto__ = ew;
cdp(null);
}Flags: blocking1.9?
|
Reporter | |
Comment 1•17 years ago
|
||
I guess this is creating a __proto__ cycle that's undetected due to the XOW, so the bug is in the __proto__ setting code for not detecting the cycle. Why does eval(window) create a XOW, though?
|
|
Reporter | |
Comment 2•17 years ago
|
||
Oh, the eval isn't needed. |window| itself is a XOW and breaks __proto__ cycle prevention. (Why are |window| and |document| XOWs?)
|
|
Reporter | |
Comment 3•17 years ago
|
||
Attachment #274926 -
Attachment is obsolete: true
|
Assignee | |
Comment 4•17 years ago
|
||
(In reply to comment #2) > (Why are |window| and |document| XOWs?) Because they can change principals, consider: w = window.open(); // w is same-origin. w.location = 'http://www.google.com'; // w is now not same-origin. We create an XOW to ensure that we always do the right security checks.
|
|
Assignee | |
Comment 5•17 years ago
|
||
This should fix things: now the XOW does the cycle check, unwrapping along the way. This is a little bit complicated, since doing: window.__proto__ = null window.__proto__ = window Does not actually create a cycle (since the first assignment disables __proto__ setting).
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #275005 -
Flags: superreview?(jst)
Attachment #275005 -
Flags: review?(brendan)
|
|
Assignee | |
Comment 6•17 years ago
|
||
Oops, used the wrong variable in the JS_GetPrototype in the loop condition.
Attachment #275005 -
Attachment is obsolete: true
Attachment #275006 -
Flags: superreview?(jst)
Attachment #275006 -
Flags: review?(brendan)
Attachment #275005 -
Flags: superreview?(jst)
Attachment #275005 -
Flags: review?(brendan)
|
||
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
|
||
Comment 7•17 years ago
|
||
Comment on attachment 275006 [details] [diff] [review] Fix, v1.1 >+ JSObject *prototype = nsnull; // Initialize this to quiet GCC. s/prototype/proto/ to match other uses of the shorthand, for brevity, and to keep the f.prototype property of function objects distant? >+ // Ensure that this __proto__ setting didn't create a cycle. The JS >+ // engine tries to do this, but XOWs confuse it, here we deal with >+ // them by unwrapping each step up the prototype chain. Full stop after "confuse it." Perhaps the new sentence starting after that should begin "So here we deal...". r=me, nits picked. /be
Attachment #275006 -
Flags: review?(brendan) → review+
|
|
Assignee | |
Comment 8•17 years ago
|
||
Attachment #275006 -
Attachment is obsolete: true
Attachment #275019 -
Flags: superreview?(jst)
Attachment #275019 -
Flags: review+
Attachment #275006 -
Flags: superreview?(jst)
|
|
||
Updated•17 years ago
|
Attachment #275019 -
Flags: superreview?(jst) → superreview+
|
|
Assignee | |
Comment 9•17 years ago
|
||
Fix checked into trunk.
Status: ASSIGNED → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Comment 10•17 years ago
|
||
verified fixed using Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3pre) Gecko/2007123104 Minefield/3.0b3pre and the testcase. No crash on testcase - changing to Verified fixed.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•