Closed Bug 616989 Opened 11 years ago Closed 11 years ago

JS_ASSERT when calling loadSubScript from a sandbox

Categories

(Core :: XPConnect, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla2.0b9
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: mano, Assigned: mrbkap)

Details

(Keywords: crash, regression)

Attachments

(1 file)

When loadSubScript is called from a sandbox, Executing the script asserts here:
http://hg.mozilla.org/mozilla-central/annotate/44641ad32c29/js/src/jsinterp.cpp#l960

To reproduce try entering the following code in the Javascript console:
var sandbox = Components.utils.Sandbox(window.top.opener);
sandbox.w = window.top.opener;
var codeStr = "Components.classes['@mozilla.org/moz/jssubscript-loader;1']." +
"getService(Components.interfaces.mozIJSSubScriptLoader)." +
"loadSubScript('chrome://global/content/globalOverlay.js', w);";
Components.utils.evalInSandbox(codeStr, sandbox);

On debug build it crashes. I'm almost sure this is a recent regression.
Whiteboard: crash, regression
blocking2.0: --- → ?
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Attached patch Possible fixSplinter Review
I don't really know what to do here. We have an Xray wrapper that's being used as the target for a subscript. It seems that the most obvious behavior is to unwrap it all the way (and then innerize), but it bothers me unwrapping it like this...
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #495634 - Flags: review?(jst)
This regression triggers a fatal assertion, we need to fix this for 2.0, and I think we should take mrbkap's proposed fix.
blocking2.0: ? → betaN+
Comment on attachment 495634 [details] [diff] [review]
Possible fix

I agree that this seems a bit like something we don't want to do, but given what we have to work with here I don't see a better way to deal with here.
Attachment #495634 - Flags: review?(jst) → review+
http://hg.mozilla.org/tracemonkey/rev/f010a983d577
Keywords: crash, regression
Whiteboard: crash, regression → fixed-in-tracemonkey
Summary: JS_ASSERT when calling loadSubScript from a sandbox → [ready to land] JS_ASSERT when calling loadSubScript from a sandbox
Pushed:
https://hg.mozilla.org/mozilla-central/rev/43bdb3403733
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b9
Version: unspecified → Trunk
Summary: [ready to land] JS_ASSERT when calling loadSubScript from a sandbox → JS_ASSERT when calling loadSubScript from a sandbox
You need to log in before you can comment on or make changes to this bug.