Closed
Bug 616989
Opened 14 years ago
Closed 14 years ago
JS_ASSERT when calling loadSubScript from a sandbox
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla2.0b9
Tracking | Status | |
---|---|---|
blocking2.0 | --- | betaN+ |
People
(Reporter: asaf, Assigned: mrbkap)
Details
(Keywords: crash, regression)
Attachments
(1 file)
1.53 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
When loadSubScript is called from a sandbox, Executing the script asserts here: http://hg.mozilla.org/mozilla-central/annotate/44641ad32c29/js/src/jsinterp.cpp#l960 To reproduce try entering the following code in the Javascript console: var sandbox = Components.utils.Sandbox(window.top.opener); sandbox.w = window.top.opener; var codeStr = "Components.classes['@mozilla.org/moz/jssubscript-loader;1']." + "getService(Components.interfaces.mozIJSSubScriptLoader)." + "loadSubScript('chrome://global/content/globalOverlay.js', w);"; Components.utils.evalInSandbox(codeStr, sandbox); On debug build it crashes. I'm almost sure this is a recent regression.
Reporter | ||
Updated•14 years ago
|
Whiteboard: crash, regression
Updated•14 years ago
|
blocking2.0: --- → ?
Assignee | ||
Updated•14 years ago
|
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
Assignee | ||
Comment 1•14 years ago
|
||
I don't really know what to do here. We have an Xray wrapper that's being used as the target for a subscript. It seems that the most obvious behavior is to unwrap it all the way (and then innerize), but it bothers me unwrapping it like this...
Comment 2•14 years ago
|
||
This regression triggers a fatal assertion, we need to fix this for 2.0, and I think we should take mrbkap's proposed fix.
blocking2.0: ? → betaN+
Comment 3•14 years ago
|
||
Comment on attachment 495634 [details] [diff] [review] Possible fix I agree that this seems a bit like something we don't want to do, but given what we have to work with here I don't see a better way to deal with here.
Attachment #495634 -
Flags: review?(jst) → review+
Assignee | ||
Comment 4•14 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/f010a983d577
Keywords: crash,
regression
Whiteboard: crash, regression → fixed-in-tracemonkey
Updated•14 years ago
|
Summary: JS_ASSERT when calling loadSubScript from a sandbox → [ready to land] JS_ASSERT when calling loadSubScript from a sandbox
Comment 5•14 years ago
|
||
Pushed: https://hg.mozilla.org/mozilla-central/rev/43bdb3403733
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b9
Version: unspecified → Trunk
Updated•14 years ago
|
Summary: [ready to land] JS_ASSERT when calling loadSubScript from a sandbox → JS_ASSERT when calling loadSubScript from a sandbox
You need to log in
before you can comment on or make changes to this bug.
Description
•