bug 1483905 - ensure the WebAuthnManager stays alive while WebAuthnTransactionChild is using it r=qdot

Differential Revision: https://phabricator.services.mozilla.com/D5305 --HG-- extra : rebase_source : 1c05f0cd33954fe0127e295b4c76eed40f75e6ef
2018-09-07 09:17:19 -07:00 · 2018-09-07 09:17:19 -07:00 · 3d31cfbfef
--- a/dom/webauthn/WebAuthnTransactionChild.cpp
+++ b/dom/webauthn/WebAuthnTransactionChild.cpp
@ -28,7 +28,12 @@ WebAuthnTransactionChild::RecvConfirmRegister(const uint64_t& aTransactionId,
    return IPC_FAIL_NO_REASON(this);
  }

-  mManager->FinishMakeCredential(aTransactionId, aResult);
+  // We don't own the reference to mManager. We need to prevent its refcount
+  // going to 0 while we call anything that can reach the call to
+  // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction
+  // (often via WebAuthnManager::RejectTransaction).
+  RefPtr<WebAuthnManagerBase> kungFuDeathGrip(mManager);
+  kungFuDeathGrip->FinishMakeCredential(aTransactionId, aResult);
  return IPC_OK();
 }

@ -40,7 +45,12 @@ WebAuthnTransactionChild::RecvConfirmSign(const uint64_t& aTransactionId,
    return IPC_FAIL_NO_REASON(this);
  }

-  mManager->FinishGetAssertion(aTransactionId, aResult);
+  // We don't own the reference to mManager. We need to prevent its refcount
+  // going to 0 while we call anything that can reach the call to
+  // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction
+  // (often via WebAuthnManager::RejectTransaction).
+  RefPtr<WebAuthnManagerBase> kungFuDeathGrip(mManager);
+  kungFuDeathGrip->FinishGetAssertion(aTransactionId, aResult);
  return IPC_OK();
 }

@ -52,7 +62,12 @@ WebAuthnTransactionChild::RecvAbort(const uint64_t& aTransactionId,
    return IPC_FAIL_NO_REASON(this);
  }

-  mManager->RequestAborted(aTransactionId, aError);
+  // We don't own the reference to mManager. We need to prevent its refcount
+  // going to 0 while we call anything that can reach the call to
+  // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction
+  // (often via WebAuthnManager::RejectTransaction).
+  RefPtr<WebAuthnManagerBase> kungFuDeathGrip(mManager);
+  kungFuDeathGrip->RequestAborted(aTransactionId, aError);
  return IPC_OK();
 }

--- a/dom/webauthn/tests/get_assertion_dead_object.html
+++ b/dom/webauthn/tests/get_assertion_dead_object.html
@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset=utf-8>
+</head>
+<body>
+<script type="text/javascript">
+  window.addEventListener('load', function() {
+    let o = [];
+    o[0] = window.navigator;
+    document.writeln('');
+    // Since the USB token is enabled by default, this will pop up a notification that the
+    // user can insert/interact with it. Since this is just a test, this won't happen. The
+    // request will eventually time out.
+    // Unfortunately the minimum timeout is 15 seconds.
+    o[0].credentials.get({ publicKey: { challenge: new Uint8Array(128), timeout: 15000 } });
+    o.forEach((n, i) => o[i] = null);
+  });
+</script>
+</body>
+</html>
--- a/dom/webauthn/tests/mochitest.ini
+++ b/dom/webauthn/tests/mochitest.ini
@ -3,6 +3,7 @@ support-files =
  cbor.js
  u2futil.js
  pkijs/*
+  get_assertion_dead_object.html
 skip-if = !e10s
 scheme = https

@ -14,6 +15,7 @@ scheme = https
 [test_webauthn_no_token.html]
 [test_webauthn_make_credential.html]
 [test_webauthn_get_assertion.html]
+[test_webauthn_get_assertion_dead_object.html]
 [test_webauthn_override_request.html]
 [test_webauthn_store_credential.html]
 [test_webauthn_sameorigin.html]
--- a/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html
+++ b/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html
@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<head>
+  <title>Test for GetAssertion on dead object</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/AddTask.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+  <h1>Test for GetAssertion on dead object</h1>
+  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1483905">Mozilla Bug 1483905</a>
+
+  <script class="testbody" type="text/javascript">
+    "use strict";
+    SimpleTest.waitForExplicitFinish();
+    SimpleTest.requestFlakyTimeout(
+      "Due to the nature of this test, there's no way for the window we're opening to signal " +
+      "that it's done (the `document.writeln('')` is essential and basically clears any state " +
+      "we could use). So, we have to wait at least 15 seconds for the webauthn call to time out.");
+    let win = window.open("https://example.com/tests/dom/webauthn/tests/get_assertion_dead_object.html");
+    setTimeout(() => {
+      win.close();
+      SimpleTest.finish();
+    }, 20000);
+  </script>
+
+</body>
+</html>