Closed
Bug 1183907
Opened 9 years ago
Closed 9 years ago
URL object in workers doesn't traverse its wrapper
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
mozilla42
| Tracking | Status | |
|---|---|---|
| firefox40 | --- | unaffected |
| firefox41 | --- | unaffected |
| firefox42 | --- | verified |
| firefox-esr31 | --- | unaffected |
| firefox-esr38 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-v2.2r | --- | unaffected |
| b2g-master | --- | fixed |
People
(Reporter: smaug, Assigned: smaug)
References
Details
(Keywords: regression, sec-high)
Attachments
(1 file)
|
1.46 KB,
patch
|
baku
:
review+
|
Details | Diff | Splinter Review |
Load http://mozilla.pettay.fi/workerconsole/ and type the following to the upper textarea
var u = new URL("about:blank");
u.foo = u;
#0 0x00007fffee0a02f6 in nsWrapperCache::CheckCCWrapperTraversal(void*, nsScriptObjectTracer*) (this=0x7fffb9113e28, aScriptObjectHolder=0x7fffb9113e20, aTracer=0x7ffff51b6ae8 <mozilla::dom::workers::URL::_cycleCollectorGlobal>) at /home/smaug/mozilla/hg/push-m-i/dom/base/nsWrapperCache.cpp:125
#1 0x00007fffed488582 in nsWrapperCache::PreserveWrapper(void*, nsScriptObjectTracer*) (this=0x7fffb9113e28, aScriptObjectHolder=0x7fffb9113e20, aTracer=0x7ffff51b6ae8 <mozilla::dom::workers::URL::_cycleCollectorGlobal>) at /home/smaug/mozilla/hg/push-m-i/js/xpconnect/wrappers/../../../dom/base/nsWrapperCache.h:251
#2 0x00007fffed486d87 in nsWrapperCache::PreserveWrapper(nsISupports*) (this=0x7fffb9113e28, aScriptObjectHolder=0x7fffb9113e20)
at /home/smaug/mozilla/hg/push-m-i/js/xpconnect/wrappers/../../../dom/base/nsWrapperCache.h:238
#3 0x00007fffeea94b63 in mozilla::dom::PreserveWrapperHelper<mozilla::dom::workers::URL, true>::PreserveWrapper(mozilla::dom::workers::URL*) (aObject=0x7fffb9113e20)
at ../../dist/include/mozilla/dom/BindingUtils.h:2639
#4 0x00007fffeea94b35 in mozilla::dom::PreserveWrapper<mozilla::dom::workers::URL>(mozilla::dom::workers::URL*) (aObject=0x7fffb9113e20) at ../../dist/include/mozilla/dom/BindingUtils.h:2646
#5 0x00007fffee970035 in mozilla::dom::URLBinding_workers::_addProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>) (cx=0x7fffc3ccae40, obj=..., id=..., val=...)
at ./URLBinding.cpp:2423
#6 0x00007ffff2169290 in js::CallJSAddPropertyOp(JSContext*, bool (*)(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>), JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>) (cx=0x7fffc3ccae40, op=0x7fffee96ffd0 <mozilla::dom::URLBinding_workers::_addProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::Handle<JS::Value>)>, obj=..., id=..., v=...)
at /home/smaug/mozilla/hg/push-m-i/js/src/jscntxtinlines.h:330
I never remember why we have so different URL impl on workers.
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → bugs
|
|
Assignee | |
Comment 1•9 years ago
|
||
Attachment #8633780 -
Flags: review?(amarchesini)
|
||
Updated•9 years ago
|
Attachment #8633780 -
Flags: review?(amarchesini) → review+
|
|
Assignee | |
Comment 2•9 years ago
|
||
|
||
Comment 3•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/3ba60b819403
What's the severity of this? Does it affect other branches?
Status: NEW → RESOLVED
Closed: 9 years ago
status-firefox42:
--- → fixed
Flags: needinfo?(bugs)
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla42
|
|
Assignee | |
Comment 4•9 years ago
|
||
Doesn't affect other branches. Regression from Bug 1177916.
Flags: needinfo?(bugs)
|
|
||
Updated•9 years ago
|
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-v2.2r:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox40:
--- → unaffected
status-firefox41:
--- → unaffected
status-firefox-esr31:
--- → unaffected
status-firefox-esr38:
--- → unaffected
|
||
Updated•9 years ago
|
Keywords: regression
|
||
Updated•9 years ago
|
Group: dom-core-security → release-core-security
|
||
Comment 5•9 years ago
|
||
Reproduced with Nightly asan build from 2015-07-14, under Ubuntu 12.04 64-bit: tab crash encountered with STR via comment 0.
No crash encountered with 42.0RC build 1 (Build ID: 20151026170526), across platforms [1].
[1] Ubuntu 12.04 64-bit, Windows 10 64-bit and Mac OS X 10.11
Status: RESOLVED → VERIFIED
|
|
||
Updated•9 years ago
|
Group: core-security-release
|
||
Updated•6 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•