1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
|
// Test calling SavedFrame getters across wrappers from privileged and
// un-privileged globals.
const {addDebuggerToGlobal} = ChromeUtils.importESModule("resource://gre/modules/jsdebugger.sys.mjs");
addDebuggerToGlobal(globalThis);
const lowP = Services.scriptSecurityManager.createNullPrincipal({});
const highP = Cc["@mozilla.org/systemprincipal;1"].createInstance(Ci.nsIPrincipal);
const low = new Cu.Sandbox(lowP);
const high = new Cu.Sandbox(highP);
function run_test() {
// Privileged compartment accessing unprivileged stack.
high.stack = getSavedFrameInstanceFromSandbox(low);
Cu.evalInSandbox("this.parent = stack.parent", high);
Cu.evalInSandbox("this.asyncParent = stack.asyncParent", high);
Cu.evalInSandbox("this.source = stack.source", high);
Cu.evalInSandbox("this.functionDisplayName = stack.functionDisplayName", high);
// Un-privileged compartment accessing privileged stack.
low.stack = getSavedFrameInstanceFromSandbox(high);
try {
Cu.evalInSandbox("this.parent = stack.parent", low);
} catch (e) { }
try {
Cu.evalInSandbox("this.asyncParent = stack.asyncParent", low);
} catch (e) { }
try {
Cu.evalInSandbox("this.source = stack.source", low);
} catch (e) { }
try {
Cu.evalInSandbox("this.functionDisplayName = stack.functionDisplayName", low);
} catch (e) { }
// Privileged compartment accessing privileged stack.
let stack = getSavedFrameInstanceFromSandbox(high);
let parent = stack.parent;
let asyncParent = stack.asyncParent;
let source = stack.source;
let functionDisplayName = stack.functionDisplayName;
ok(true, "Didn't crash");
}
// Get a SavedFrame instance from inside the given sandbox.
//
// We can't use Cu.getJSTestingFunctions().saveStack() because Cu isn't
// available to sandboxes that don't have the system principal. The easiest way
// to get the SavedFrame is to use the Debugger API to track allocation sites
// and then do an allocation.
function getSavedFrameInstanceFromSandbox(sandbox) {
const dbg = new Debugger(sandbox);
dbg.memory.trackingAllocationSites = true;
Cu.evalInSandbox("(function iife() { return new RegExp }())", sandbox);
const allocs = dbg.memory.drainAllocationsLog().filter(e => e.class === "RegExp");
dbg.memory.trackingAllocationSites = false;
ok(allocs[0], "We should observe the allocation");
const { frame } = allocs[0];
if (sandbox !== high) {
ok(Cu.isXrayWrapper(frame), "`frame` should be an xray...");
equal(Object.prototype.toString.call(Cu.waiveXrays(frame)),
"[object SavedFrame]",
"...and that xray should wrap a SavedFrame");
}
return frame;
}
|
