diff --git a/dom/webauthn/WebAuthnTransactionChild.cpp b/dom/webauthn/WebAuthnTransactionChild.cpp index 3f1f6d889df3..220f03fab448 100644 --- a/dom/webauthn/WebAuthnTransactionChild.cpp +++ b/dom/webauthn/WebAuthnTransactionChild.cpp @@ -28,7 +28,12 @@ WebAuthnTransactionChild::RecvConfirmRegister(const uint64_t& aTransactionId, return IPC_FAIL_NO_REASON(this); } - mManager->FinishMakeCredential(aTransactionId, aResult); + // We don't own the reference to mManager. We need to prevent its refcount + // going to 0 while we call anything that can reach the call to + // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction + // (often via WebAuthnManager::RejectTransaction). + RefPtr kungFuDeathGrip(mManager); + kungFuDeathGrip->FinishMakeCredential(aTransactionId, aResult); return IPC_OK(); } @@ -40,7 +45,12 @@ WebAuthnTransactionChild::RecvConfirmSign(const uint64_t& aTransactionId, return IPC_FAIL_NO_REASON(this); } - mManager->FinishGetAssertion(aTransactionId, aResult); + // We don't own the reference to mManager. We need to prevent its refcount + // going to 0 while we call anything that can reach the call to + // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction + // (often via WebAuthnManager::RejectTransaction). + RefPtr kungFuDeathGrip(mManager); + kungFuDeathGrip->FinishGetAssertion(aTransactionId, aResult); return IPC_OK(); } @@ -52,7 +62,12 @@ WebAuthnTransactionChild::RecvAbort(const uint64_t& aTransactionId, return IPC_FAIL_NO_REASON(this); } - mManager->RequestAborted(aTransactionId, aError); + // We don't own the reference to mManager. We need to prevent its refcount + // going to 0 while we call anything that can reach the call to + // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction + // (often via WebAuthnManager::RejectTransaction). + RefPtr kungFuDeathGrip(mManager); + kungFuDeathGrip->RequestAborted(aTransactionId, aError); return IPC_OK(); } diff --git a/dom/webauthn/tests/get_assertion_dead_object.html b/dom/webauthn/tests/get_assertion_dead_object.html new file mode 100644 index 000000000000..e7de9d3deb00 --- /dev/null +++ b/dom/webauthn/tests/get_assertion_dead_object.html @@ -0,0 +1,21 @@ + + + + + + + + + diff --git a/dom/webauthn/tests/mochitest.ini b/dom/webauthn/tests/mochitest.ini index 79c5333da57a..a65af5079212 100644 --- a/dom/webauthn/tests/mochitest.ini +++ b/dom/webauthn/tests/mochitest.ini @@ -3,6 +3,7 @@ support-files = cbor.js u2futil.js pkijs/* + get_assertion_dead_object.html skip-if = !e10s scheme = https @@ -14,6 +15,7 @@ scheme = https [test_webauthn_no_token.html] [test_webauthn_make_credential.html] [test_webauthn_get_assertion.html] +[test_webauthn_get_assertion_dead_object.html] [test_webauthn_override_request.html] [test_webauthn_store_credential.html] [test_webauthn_sameorigin.html] diff --git a/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html b/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html new file mode 100644 index 000000000000..408aa45bc1ac --- /dev/null +++ b/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html @@ -0,0 +1,29 @@ + + + + Test for GetAssertion on dead object + + + + + + +

Test for GetAssertion on dead object

+ Mozilla Bug 1483905 + + + + +