Closed Bug 1643635 Opened 4 years ago Closed 4 years ago

The browser crashes when document.fonts.values() is used as a WeakMap key

Categories

(Core :: DOM: Bindings (WebIDL), defect)

Product:
Core
Component:
DOM: Bindings (WebIDL)
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox79 --- verified

People

(Reporter: jonco, Assigned: smaug)

References

Details

Crash Data

Attachments

(1 file)

Bug 1643635, it is ok to have a cycle collected non-nsISupports class which doesn't inherit nsWrapperCache, r=mccr8!,peterv!
47 bytes, text/x-phabricator-request
Details | Review

If you type the following into the console:

  new WeakMap().set(document.fonts.values(), undefined);

This assertion fails: https://searchfox.org/mozilla-central/source/dom/bindings/BindingUtils.cpp#1147

Component: DOM: Core & HTML → DOM: CSS Object Model
Component: DOM: CSS Object Model → DOM: Bindings (WebIDL)

The method lets one to have nsISupports objects not supporting nsWrapperCache, but non-nsISupports objects are
required to inherit nsWrapperCache because of the assertion.

jonco is adding tests in https://bugzilla.mozilla.org/show_bug.cgi?id=1642974

Assignee: nobody → bugs
Status: NEW → ASSIGNED

https://bugzilla.mozilla.org/show_bug.cgi?id=1351501#c11 requested the assertion, and the patch should still check that
"We should also assert that addProperty is non-null if and only if domClass->mParticipant is non-null, right?"

Blocks: 1642974
Crash Signature: [@ mozilla::dom::TryPreserveWrapper]
Group: javascript-core-security
Pushed by opettay@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/431b35a5b06c it is ok to have a cycle collected non-nsISupports class which doesn't inherit nsWrapperCache, r=mccr8,peterv

https://hg.mozilla.org/mozilla-central/rev/431b35a5b06c

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

I can't seem to be able to reproduce this issue. Can you provide me with more specific steps or could you please check if the issue is reproducing on the Firedox 79.0b2?

Flags: needinfo?(jcoppeard)

(In reply to Oana Botisan, Desktop Release QA from comment #8)
It's fixed on 79 but it reproduces on 78.

Flags: needinfo?(jcoppeard)

Thank you, Jon, for verifying the fix. That is fine because only 79 was fixed and the milestone is firefox79. I will mark this bug as verified fixed according to comment 9.

Status: RESOLVED → VERIFIED
status-firefox79: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: