From 3d31cfbfef4495b7882dd5d3aa7b5c51a815d512 Mon Sep 17 00:00:00 2001
From: Dana Keeler <dkeeler@mozilla.com>
Date: Fri, 7 Sep 2018 09:17:19 -0700
Subject: [PATCH] bug 1483905 - ensure the WebAuthnManager stays alive while
 WebAuthnTransactionChild is using it r=qdot

Differential Revision: https://phabricator.services.mozilla.com/D5305

--HG--
extra : rebase_source : 1c05f0cd33954fe0127e295b4c76eed40f75e6ef
---
 dom/webauthn/WebAuthnTransactionChild.cpp     | 21 ++++++++++++--
 .../tests/get_assertion_dead_object.html      | 21 ++++++++++++++
 dom/webauthn/tests/mochitest.ini              |  2 ++
 ...st_webauthn_get_assertion_dead_object.html | 29 +++++++++++++++++++
 4 files changed, 70 insertions(+), 3 deletions(-)
 create mode 100644 dom/webauthn/tests/get_assertion_dead_object.html
 create mode 100644 dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html

diff --git a/dom/webauthn/WebAuthnTransactionChild.cpp b/dom/webauthn/WebAuthnTransactionChild.cpp
index 3f1f6d889df3..220f03fab448 100644
--- a/dom/webauthn/WebAuthnTransactionChild.cpp
+++ b/dom/webauthn/WebAuthnTransactionChild.cpp
@@ -28,7 +28,12 @@ WebAuthnTransactionChild::RecvConfirmRegister(const uint64_t& aTransactionId,
     return IPC_FAIL_NO_REASON(this);
   }
 
-  mManager->FinishMakeCredential(aTransactionId, aResult);
+  // We don't own the reference to mManager. We need to prevent its refcount
+  // going to 0 while we call anything that can reach the call to
+  // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction
+  // (often via WebAuthnManager::RejectTransaction).
+  RefPtr<WebAuthnManagerBase> kungFuDeathGrip(mManager);
+  kungFuDeathGrip->FinishMakeCredential(aTransactionId, aResult);
   return IPC_OK();
 }
 
@@ -40,7 +45,12 @@ WebAuthnTransactionChild::RecvConfirmSign(const uint64_t& aTransactionId,
     return IPC_FAIL_NO_REASON(this);
   }
 
-  mManager->FinishGetAssertion(aTransactionId, aResult);
+  // We don't own the reference to mManager. We need to prevent its refcount
+  // going to 0 while we call anything that can reach the call to
+  // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction
+  // (often via WebAuthnManager::RejectTransaction).
+  RefPtr<WebAuthnManagerBase> kungFuDeathGrip(mManager);
+  kungFuDeathGrip->FinishGetAssertion(aTransactionId, aResult);
   return IPC_OK();
 }
 
@@ -52,7 +62,12 @@ WebAuthnTransactionChild::RecvAbort(const uint64_t& aTransactionId,
     return IPC_FAIL_NO_REASON(this);
   }
 
-  mManager->RequestAborted(aTransactionId, aError);
+  // We don't own the reference to mManager. We need to prevent its refcount
+  // going to 0 while we call anything that can reach the call to
+  // StopListeningForVisibilityEvents in WebAuthnManager::ClearTransaction
+  // (often via WebAuthnManager::RejectTransaction).
+  RefPtr<WebAuthnManagerBase> kungFuDeathGrip(mManager);
+  kungFuDeathGrip->RequestAborted(aTransactionId, aError);
   return IPC_OK();
 }
 
diff --git a/dom/webauthn/tests/get_assertion_dead_object.html b/dom/webauthn/tests/get_assertion_dead_object.html
new file mode 100644
index 000000000000..e7de9d3deb00
--- /dev/null
+++ b/dom/webauthn/tests/get_assertion_dead_object.html
@@ -0,0 +1,21 @@
+<!DOCTYPE html>
+<html>
+<head>
+<meta charset=utf-8>
+</head>
+<body>
+<script type="text/javascript">
+  window.addEventListener('load', function() {
+    let o = [];
+    o[0] = window.navigator;
+    document.writeln('');
+    // Since the USB token is enabled by default, this will pop up a notification that the
+    // user can insert/interact with it. Since this is just a test, this won't happen. The
+    // request will eventually time out.
+    // Unfortunately the minimum timeout is 15 seconds.
+    o[0].credentials.get({ publicKey: { challenge: new Uint8Array(128), timeout: 15000 } });
+    o.forEach((n, i) => o[i] = null);
+  });
+</script>
+</body>
+</html>
diff --git a/dom/webauthn/tests/mochitest.ini b/dom/webauthn/tests/mochitest.ini
index 79c5333da57a..a65af5079212 100644
--- a/dom/webauthn/tests/mochitest.ini
+++ b/dom/webauthn/tests/mochitest.ini
@@ -3,6 +3,7 @@ support-files =
   cbor.js
   u2futil.js
   pkijs/*
+  get_assertion_dead_object.html
 skip-if = !e10s
 scheme = https
 
@@ -14,6 +15,7 @@ scheme = https
 [test_webauthn_no_token.html]
 [test_webauthn_make_credential.html]
 [test_webauthn_get_assertion.html]
+[test_webauthn_get_assertion_dead_object.html]
 [test_webauthn_override_request.html]
 [test_webauthn_store_credential.html]
 [test_webauthn_sameorigin.html]
diff --git a/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html b/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html
new file mode 100644
index 000000000000..408aa45bc1ac
--- /dev/null
+++ b/dom/webauthn/tests/test_webauthn_get_assertion_dead_object.html
@@ -0,0 +1,29 @@
+<!DOCTYPE html>
+<meta charset=utf-8>
+<head>
+  <title>Test for GetAssertion on dead object</title>
+  <script type="text/javascript" src="/tests/SimpleTest/SimpleTest.js"></script>
+  <script type="text/javascript" src="/tests/SimpleTest/AddTask.js"></script>
+  <link rel="stylesheet" type="text/css" href="/tests/SimpleTest/test.css" />
+</head>
+<body>
+
+  <h1>Test for GetAssertion on dead object</h1>
+  <a target="_blank" href="https://bugzilla.mozilla.org/show_bug.cgi?id=1483905">Mozilla Bug 1483905</a>
+
+  <script class="testbody" type="text/javascript">
+    "use strict";
+    SimpleTest.waitForExplicitFinish();
+    SimpleTest.requestFlakyTimeout(
+      "Due to the nature of this test, there's no way for the window we're opening to signal " +
+      "that it's done (the `document.writeln('')` is essential and basically clears any state " +
+      "we could use). So, we have to wait at least 15 seconds for the webauthn call to time out.");
+    let win = window.open("https://example.com/tests/dom/webauthn/tests/get_assertion_dead_object.html");
+    setTimeout(() => {
+      win.close();
+      SimpleTest.finish();
+    }, 20000);
+  </script>
+
+</body>
+</html>