crash when calling evalInSandbox from within a sandbox

RESOLVED WORKSFORME

Status

()

Core
JavaScript Engine
--
critical
RESOLVED WORKSFORME
7 years ago
7 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
x86
Mac OS X
assertion, crash, testcase
Points:
---

Firefox Tracking Flags

(blocking2.0 -)

Details

(Whiteboard: fixed?)

(Reporter)

Description

7 years ago
In TM-branch xpcshell:

var s = Components.utils.Sandbox("http://www.example.com/");
s.evalInSandbox = Components.utils.evalInSandbox; Components.utils.evalInSandbox("evalInSandbox('5', null)", s);

###!!! ASSERTION: Bad caller!: 'system', 
file js/src/xpconnect/src/xpccomponents.cpp, line 3591

Crash [@ JSObject::getClass | XPCWrapper::IsSecurityWrapper]
blocking2.0: --- → ?
Summary: Can't call evalInSandbox from within a sandbox → crash when calling evalInSandbox from within a sandbox
Hrm, this is somehow wfm on trunk (I remember seeing this myself).

Try pasting this code in the js console:
var sandbox = Components.utils.Sandbox(window.top.opener); sandbox.w = window.top.opener;
Components.utils.evalInSandbox("var s = Components.utils.Sandbox(w); s.w = w; Components.utils.evalInSandbox('w.alert(1)', s);", sandbox);
This WFM on TM tip xpcshell.
Status: NEW → RESOLVED
blocking2.0: ? → -
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.