Closed
Bug 1506861
Opened 6 years ago
Closed 6 years ago
Accessing "prototype" or keys of Proxy with XrayWrapper causes crash / assertion failure
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla65
| Tracking | Status | |
|---|---|---|
| firefox65 | --- | fixed |
People
(Reporter: robwu, Assigned: robwu)
Details
Attachments
(1 file)
Proxy objects have no prototype, yet trying to access the property over a XrayWrapper results in a crash. STR: Cu.sandbox(null).Proxy.prototype; or Object.keys(Cu.sandbox(null).Proxy); Assertion failure: isObject(), at objdir-debug/dist/include/js/Value.h:795 #01: js::GlobalObject::getOrCreatePrototype(JSContext*, JSProtoKey) (js/src/vm/GlobalObject.h:182) #02: JS_GetClassPrototype(JSContext*, JSProtoKey, JS::MutableHandle<JSObject*>) (js/src/jsapi.cpp:1192) #03: xpc::JSXrayTraits::resolveOwnProperty(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<JSObject*>, JS::Handle<jsid>, JS::MutableHandle<JS::PropertyDescriptor>) (js/xpconnect/wrappers/XrayWrapper.cpp:595) There is a crash report of this at bp-1320578c-776c-4384-8cd9-3564a0181113, but it is currently of limited use due to bug 1506781. [1] https://searchfox.org/mozilla-central/rev/7f7c353e969e61a6a85201cc8ad3c3de12ac30d8/js/src/vm/GlobalObject.h#182 [2] https://searchfox.org/mozilla-central/rev/7f7c353e969e61a6a85201cc8ad3c3de12ac30d8/js/src/jsapi.cpp#1192 [3] https://searchfox.org/mozilla-central/rev/7f7c353e969e61a6a85201cc8ad3c3de12ac30d8/js/xpconnect/wrappers/XrayWrapper.cpp#595
|
Assignee | |
Comment 1•6 years ago
|
||
Pushed by rob@robwu.nl: https://hg.mozilla.org/integration/autoland/rev/8a8fbc85088e Stop accessing Proxy.prototype in XrayWrapper r=bholley
|
||
Comment 3•6 years ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/8a8fbc85088e
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
status-firefox65:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
You need to log in
before you can comment on or make changes to this bug.
Description
•