Closed
Bug 1040181
Opened 10 years ago
Closed 10 years ago
Transplant crash when setting document.domain with a cross-compartment eval reference
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
People
(Reporter: bholley, Assigned: bholley)
References
Details
Attachments
(1 file)
3.28 KB,
patch
|
gkrizsanits
:
review+
|
Details | Diff | Splinter Review |
We have belt-and-suspenders code in WrapperFactory::Rewrap that checks if somebody is trying to wrap a cross-origin |eval| or |Function|, and makes the wrap fail. This is unfortunate, because we also have transplant code that MOZ_CRASHes when the transplant fails. This makes me hit a MOZ_CRASH in js::RemapWrapper, which might be related to the crashes we're seeing in bug 856670. Instead of returning null, we should just return an opaque wrapper. It would also be nice to redesign the callback to return a Wrapper& to make it clearer that it should never intentionally return null.
Assignee | ||
Comment 1•10 years ago
|
||
Attachment #8458280 -
Flags: review?(gkrizsanits)
Comment 2•10 years ago
|
||
Comment on attachment 8458280 [details] [diff] [review] Use an opaque wrapper rather than failing in Rewrap. v1 Review of attachment 8458280 [details] [diff] [review]: ----------------------------------------------------------------- Yeah, this seems a lot nicer approach than a hard crash. ::: js/xpconnect/tests/chrome/test_documentdomain.xul @@ +51,5 @@ > win1A.storeReference(win1B); > win1B.storeReference(win1A); > ok(win1A.tryToAccessStored(), "Stored references work when same-origin"); > + win1A.evalFromB = Cu.unwaiveXrays(win1B.eval); // Crashtest for bug 1040181. > + win1B.functionFromA = Cu.unwaiveXrays(win1A.Function); // Crashtest for bug 1040181. A call attempt would be nice...
Attachment #8458280 -
Flags: review?(gkrizsanits) → review+
Assignee | ||
Comment 3•10 years ago
|
||
https://tbpl.mozilla.org/?tree=Try&rev=5816b069362d
Assignee | ||
Comment 4•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/6fb5b8d67c00 KaiRo, once this lands and settles, can you check whether it has any impact on the crash volume for bug 856670?
Flags: needinfo?(kairo)
Comment 5•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6fb5b8d67c00
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Comment 6•10 years ago
|
||
(In reply to Bobby Holley (:bholley) from comment #4) > KaiRo, once this lands and settles, can you check whether it has any impact > on the crash volume for bug 856670? Looking at the graph tab on https://crash-stats.mozilla.com/report/list?signature=js::RemapWrapper%28JSContext*,%20JSObject*,%20JSObject*%29 for nightly and a little longer time range doesn't look like anything changed around 7/20. Also, looking at the build ID facet of https://crash-stats.mozilla.com/search/?signature=~js%3A%3ARemapWrapper&release_channel=nightly&date=>2014-05-01&_facets=build_id&_columns=date&_columns=signature&_columns=product&_columns=version&_columns=build_id&_columns=platform and actually sorting by build ID also does not imply a change there.
Flags: needinfo?(kairo)
You need to log in
before you can comment on or make changes to this bug.
Description
•