"Assertion failure: compartment mismatched" with InstallTrigger.install

RESOLVED FIXED

Status

()

defect
--
critical
RESOLVED FIXED
9 years ago
4 years ago

People

(Reporter: jruderman, Assigned: jst)

Tracking

(Blocks 1 bug, {crash, testcase})

Trunk
x86
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 final+)

Details

(Whiteboard: [softblocker][sg:low])

Attachments

(3 attachments)

No description provided.
Group: core-security
Posted file stack trace
Assignee: nobody → gal
blocking2.0: --- → final+
Whiteboard: [softblocker][sg:low]
Posted patch Fix.Splinter Review
This fixes this compartment mismatch, but I wonder if we need to push this JS_WrapValue() further down to cover other places where this could show up. In this particular case we have an InstallTrigger object that we've just wrapped with WrapNative() and the jsval we get back from it is a chrome object, with code running in the testcase compartment.
Attachment #509794 - Flags: review?(mrbkap)
Assignee: gal → jst
Attachment #509794 - Flags: review?(mrbkap) → review+
Landed:

http://hg.mozilla.org/mozilla-central/rev/bb740aa9e48e

And for the record, resolving the InstallTrigger property wasn't the problem here, the declaration of "external" was the trigger here, as evident by deeper digging by mrbkap. window.external is something that the sidebar code exposes (who knew?), and declaring it makes it enumerable. InstallTrigger.install() enumerates all properties on the given argument (window in this case), which ends up resolving window.external, which in turn leads to this compartment mismatch.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.