Closed Bug 1530292 Opened 10 months ago Closed 10 months ago

Crash with instanceof and WindowProxy of sandboxed frame

Categories

(Core :: DOM: Core & HTML, defect, critical)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla67
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: annevk, Assigned: bzbarsky)

References

Details

(Keywords: regression)

Attachments

(1 file)

Navigate to data:text/html,<iframe sandbox></iframe><script>alert(frames[0] instanceof frames[0])</script>

Expected: no crash.

bz, is this perhaps related to the WindowProxy refactoring?

Flags: needinfo?(bzbarsky)

Yes. I had discovered this independently just a few minutes ago...

Flags: needinfo?(bzbarsky)
Duplicate of this bug: 1530388
Assignee: nobody → bzbarsky
Blocks: 1471496
Severity: normal → critical
Keywords: regression

Just for my records, the relevant stack bit is:

#8 0x00007f1f6e0c124d in js::ReportIsNotFunction(JSContext*, JS::Handle<JS::Value>) (cx=0x7f1f56525000, v=...)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/jsfriendapi.cpp:1277
#9 0x00007f1f6d923677 in JS::InstanceofOperator(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:847
#10 0x00007f1f6d92396b in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:860
#11 0x00007f1f6e0fb1e5 in js::ForwardingProxyHandler::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) const (this=0x7f1f71800988 <nsOuterWindowProxy::singleton>, cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Wrapper.cpp:221
#12 0x00007f1f6e0e9795 in js::Proxy::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) (cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897) at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Proxy.cpp:547
#13 0x00007f1f6d92391d in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:858
#14 0x00007f1f6e0fb1e5 in js::ForwardingProxyHandler::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) const (this=0x7f1f717a92a0 <xpc::CrossOriginObjectWrapper::singleton>, cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Wrapper.cpp:221
#15 0x00007f1f6e0e9795 in js::Proxy::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) (cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897) at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Proxy.cpp:547
#16 0x00007f1f6d92391d in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:858

and then we fail a compartment check, as expected given that stack.

Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fec419c7471b
Fix crash when cross-compartment WindowProxy is used as RHS of instanceof.  r=jandem
Status: NEW → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.