Bug 1157456 - Re-wrap results in SavedFrame accessors; r=jorendorff

js/src/vm/SavedStacks.cpp

@@ -696,10 +696,13 @@ SavedFrame::sourceProperty(JSContext* cx, unsigned argc, Value* vp)
 {
     THIS_SAVEDFRAME(cx, argc, vp, "(get source)", args, frame);
     RootedString source(cx);
-    if (JS::GetSavedFrameSource(cx, frame, &source) == JS::SavedFrameResult::Ok)
+    if (JS::GetSavedFrameSource(cx, frame, &source) == JS::SavedFrameResult::Ok) {
+        if (!cx->compartment()->wrap(cx, &source))
+            return false;
         args.rval().setString(source);
-    else
+    } else {
         args.rval().setNull();
+    }
     return true;
 }
 
@@ -733,10 +736,13 @@ SavedFrame::functionDisplayNameProperty(JSContext* cx, unsigned argc, Value* vp)
     THIS_SAVEDFRAME(cx, argc, vp, "(get functionDisplayName)", args, frame);
     RootedString name(cx);
     JS::SavedFrameResult result = JS::GetSavedFrameFunctionDisplayName(cx, frame, &name);
-    if (result == JS::SavedFrameResult::Ok && name)
+    if (result == JS::SavedFrameResult::Ok && name) {
+        if (!cx->compartment()->wrap(cx, &name))
+            return false;
         args.rval().setString(name);
-    else
+    } else {
         args.rval().setNull();
+    }
     return true;
 }
 
@@ -746,10 +752,13 @@ SavedFrame::asyncCauseProperty(JSContext* cx, unsigned argc, Value* vp)
     THIS_SAVEDFRAME(cx, argc, vp, "(get asyncCause)", args, frame);
     RootedString asyncCause(cx);
     JS::SavedFrameResult result = JS::GetSavedFrameAsyncCause(cx, frame, &asyncCause);
-    if (result == JS::SavedFrameResult::Ok && asyncCause)
+    if (result == JS::SavedFrameResult::Ok && asyncCause) {
+        if (!cx->compartment()->wrap(cx, &asyncCause))
+            return false;
         args.rval().setString(asyncCause);
-    else
+    } else {
         args.rval().setNull();
+    }
     return true;
 }
 
@@ -759,6 +768,8 @@ SavedFrame::asyncParentProperty(JSContext* cx, unsigned argc, Value* vp)
     THIS_SAVEDFRAME(cx, argc, vp, "(get asyncParent)", args, frame);
     RootedObject asyncParent(cx);
     (void) JS::GetSavedFrameAsyncParent(cx, frame, &asyncParent);
+    if (!cx->compartment()->wrap(cx, &asyncParent))
+        return false;
     args.rval().setObjectOrNull(asyncParent);
     return true;
 }
@@ -769,6 +780,8 @@ SavedFrame::parentProperty(JSContext* cx, unsigned argc, Value* vp)
     THIS_SAVEDFRAME(cx, argc, vp, "(get parent)", args, frame);
     RootedObject parent(cx);
     (void) JS::GetSavedFrameParent(cx, frame, &parent);
+    if (!cx->compartment()->wrap(cx, &parent))
+        return false;
     args.rval().setObjectOrNull(parent);
     return true;
 }

js/xpconnect/tests/unit/test_xray_SavedFrame-02.js

@@ -0,0 +1,75 @@
+// Test calling SavedFrame getters across wrappers from privileged and
+// un-privileged globals.
+
+const Cc = Components.classes;
+const Ci = Components.interfaces;
+const Cu = Components.utils;
+
+Cu.import("resource://gre/modules/jsdebugger.jsm");
+addDebuggerToGlobal(this);
+
+const lowP = Cc["@mozilla.org/nullprincipal;1"].createInstance(Ci.nsIPrincipal);
+const highP = Cc["@mozilla.org/systemprincipal;1"].createInstance(Ci.nsIPrincipal);
+
+const low  = new Cu.Sandbox(lowP);
+const high = new Cu.Sandbox(highP);
+
+function run_test() {
+  // Privileged compartment accessing unprivileged stack.
+  high.stack = getSavedFrameInstanceFromSandbox(low);
+  Cu.evalInSandbox("this.parent = stack.parent", high);
+  Cu.evalInSandbox("this.asyncParent = stack.asyncParent", high);
+  Cu.evalInSandbox("this.source = stack.source", high);
+  Cu.evalInSandbox("this.functionDisplayName = stack.functionDisplayName", high);
+
+  // Un-privileged compartment accessing privileged stack.
+  low.stack = getSavedFrameInstanceFromSandbox(high);
+  try {
+    Cu.evalInSandbox("this.parent = stack.parent", low);
+  } catch (e) { }
+  try {
+    Cu.evalInSandbox("this.asyncParent = stack.asyncParent", low);
+  } catch (e) { }
+  try {
+    Cu.evalInSandbox("this.source = stack.source", low);
+  } catch (e) { }
+  try {
+    Cu.evalInSandbox("this.functionDisplayName = stack.functionDisplayName", low);
+  } catch (e) { }
+
+  // Privileged compartment accessing privileged stack.
+  let stack = getSavedFrameInstanceFromSandbox(high);
+  let parent = stack.parent;
+  let asyncParent = stack.asyncParent;
+  let source = stack.source;
+  let functionDisplayName = stack.functionDisplayName;
+
+  ok(true, "Didn't crash");
+}
+
+// Get a SavedFrame instance from inside the given sandbox.
+//
+// We can't use Cu.getJSTestingFunctions().saveStack() because Cu isn't
+// available to sandboxes that don't have the system principal. The easiest way
+// to get the SavedFrame is to use the Debugger API to track allocation sites
+// and then do an allocation.
+function getSavedFrameInstanceFromSandbox(sandbox) {
+  const dbg = new Debugger(sandbox);
+
+  dbg.memory.trackingAllocationSites = true;
+  Cu.evalInSandbox("(function iife() { return new RegExp }())", sandbox);
+  const allocs = dbg.memory.drainAllocationsLog().filter(e => e.class === "RegExp");
+  dbg.memory.trackingAllocationSites = false;
+
+  ok(allocs[0], "We should observe the allocation");
+  const { frame } = allocs[0];
+
+  if (sandbox !== high) {
+    ok(Cu.isXrayWrapper(frame), "`frame` should be an xray...");
+    equal(Object.prototype.toString.call(Cu.waiveXrays(frame)),
+          "[object SavedFrame]",
+          "...and that xray should wrap a SavedFrame");
+  }
+
+  return frame;
+}

js/xpconnect/tests/unit/xpcshell.ini

@@ -126,3 +126,4 @@ head = head_watchdog.js
 [test_xpcwn_tamperproof.js]
 [test_xrayed_iterator.js]
 [test_xray_SavedFrame.js]
+[test_xray_SavedFrame-02.js]