Closed
Bug 616989
Opened 15 years ago
Closed 15 years ago
JS_ASSERT when calling loadSubScript from a sandbox
Categories
(Core :: XPConnect, defect)
Core
XPConnect
Tracking
()
RESOLVED
FIXED
mozilla2.0b9
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: asaf, Assigned: mrbkap)
Details
(Keywords: crash, regression)
Attachments
(1 file)
|
1.53 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
When loadSubScript is called from a sandbox, Executing the script asserts here:
http://hg.mozilla.org/mozilla-central/annotate/44641ad32c29/js/src/jsinterp.cpp#l960
To reproduce try entering the following code in the Javascript console:
var sandbox = Components.utils.Sandbox(window.top.opener);
sandbox.w = window.top.opener;
var codeStr = "Components.classes['@mozilla.org/moz/jssubscript-loader;1']." +
"getService(Components.interfaces.mozIJSSubScriptLoader)." +
"loadSubScript('chrome://global/content/globalOverlay.js', w);";
Components.utils.evalInSandbox(codeStr, sandbox);
On debug build it crashes. I'm almost sure this is a recent regression.
|
Reporter | |
Updated•15 years ago
|
Whiteboard: crash, regression
|
||
Updated•15 years ago
|
blocking2.0: --- → ?
|
Assignee | |
Updated•15 years ago
|
Assignee: general → nobody
Component: JavaScript Engine → XPConnect
QA Contact: general → xpconnect
|
|
Assignee | |
Comment 1•15 years ago
|
||
I don't really know what to do here. We have an Xray wrapper that's being used as the target for a subscript. It seems that the most obvious behavior is to unwrap it all the way (and then innerize), but it bothers me unwrapping it like this...
|
||
Comment 2•15 years ago
|
||
This regression triggers a fatal assertion, we need to fix this for 2.0, and I think we should take mrbkap's proposed fix.
blocking2.0: ? → betaN+
|
|
||
Comment 3•15 years ago
|
||
Comment on attachment 495634 [details] [diff] [review]
Possible fix
I agree that this seems a bit like something we don't want to do, but given what we have to work with here I don't see a better way to deal with here.
Attachment #495634 -
Flags: review?(jst) → review+
|
|
Assignee | |
Comment 4•15 years ago
|
||
Keywords: crash,
regression
Whiteboard: crash, regression → fixed-in-tracemonkey
|
|
||
Updated•15 years ago
|
Summary: JS_ASSERT when calling loadSubScript from a sandbox → [ready to land] JS_ASSERT when calling loadSubScript from a sandbox
|
||
Comment 5•15 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey
Target Milestone: --- → mozilla2.0b9
Version: unspecified → Trunk
|
|
||
Updated•15 years ago
|
Summary: [ready to land] JS_ASSERT when calling loadSubScript from a sandbox → JS_ASSERT when calling loadSubScript from a sandbox
You need to log in
before you can comment on or make changes to this bug.
Description
•