Closed Bug 1676615 Opened 4 years ago Closed 4 years ago

In mozjs-60, we create a class in one compartment, instantiate it in another, and get a seg fault at DestroyContext.

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Type:
defect

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: kevin_carhart, Unassigned)

Details

Attachments

(1 file)

crossinstantiation.cpp
2.10 KB, text/x-c++src
Details
Attached file crossinstantiation.cpp

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:82.0) Gecko/20100101 Firefox/82.0

Steps to reproduce:

Ran my program with the class and object in a different compartment. (Please see attachment)

Actual results:

A seg fault occurred in DestroyContext() when we are embedding mozjs-60, though not when we are embedding mozjs-52.

Expected results:

should have exited normally

This has always been invalid use of the API. JS_DefineProperty(cx, g2, "link", v, 0); requires that cx, g2, and v be same-compartment. Here the value v is g1, a global in a different compartment.

The rule is enforced with assertions in debug builds—we strongly recommend using a debug build for development, as there are many assertions that check API usage, and the API is very error-prone without those checks.

Marking this as RESOLVED INVALID which just means it looks like there is not a bug to fix.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID

Thanks Jason, we appreciate the help.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: