Closed Bug 1530292 Opened 5 years ago Closed 5 years ago

Crash with instanceof and WindowProxy of sandboxed frame

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: annevk, Assigned: bzbarsky)

References

Details

(Keywords: regression)

Attachments

(1 file)

Bug 1530292. Fix crash when cross-compartment WindowProxy is used as RHS of instanceof. r=jandem
47 bytes, text/x-phabricator-request
Details | Review

Navigate to data:text/html,<iframe sandbox></iframe><script>alert(frames[0] instanceof frames[0])</script>

Expected: no crash.

bz, is this perhaps related to the WindowProxy refactoring?

Flags: needinfo?(bzbarsky)

Yes. I had discovered this independently just a few minutes ago...

Flags: needinfo?(bzbarsky)
Assignee: nobody → bzbarsky
Blocks: 1471496
Severity: normal → critical
Keywords: regression

Just for my records, the relevant stack bit is:

#8 0x00007f1f6e0c124d in js::ReportIsNotFunction(JSContext*, JS::Handle<JS::Value>) (cx=0x7f1f56525000, v=...)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/jsfriendapi.cpp:1277
#9 0x00007f1f6d923677 in JS::InstanceofOperator(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:847
#10 0x00007f1f6d92396b in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:860
#11 0x00007f1f6e0fb1e5 in js::ForwardingProxyHandler::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) const (this=0x7f1f71800988 <nsOuterWindowProxy::singleton>, cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Wrapper.cpp:221
#12 0x00007f1f6e0e9795 in js::Proxy::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) (cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897) at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Proxy.cpp:547
#13 0x00007f1f6d92391d in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:858
#14 0x00007f1f6e0fb1e5 in js::ForwardingProxyHandler::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) const (this=0x7f1f717a92a0 <xpc::CrossOriginObjectWrapper::singleton>, cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Wrapper.cpp:221
#15 0x00007f1f6e0e9795 in js::Proxy::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) (cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897) at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Proxy.cpp:547
#16 0x00007f1f6d92391d in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:858

and then we fail a compartment check, as expected given that stack.

Pushed by bzbarsky@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/fec419c7471b
Fix crash when cross-compartment WindowProxy is used as RHS of instanceof.  r=jandem

https://hg.mozilla.org/mozilla-central/rev/fec419c7471b

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox67: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: