Closed
Bug 642022
Opened 14 years ago
Closed 14 years ago
"Assertion failure: compartment mismatched" with InstallTrigger.constructor
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla5
Tracking | Status | |
---|---|---|
status2.0 | --- | ? |
status1.9.2 | --- | unaffected |
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: assertion, testcase, Whiteboard: [sg:critical?])
Attachments
(3 files, 1 obsolete file)
99 bytes,
text/html
|
Details | |
5.18 KB,
text/plain
|
Details | |
1.78 KB,
patch
|
gal
:
review+
dveditz
:
approval2.0+
|
Details | Diff | Splinter Review |
Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:545
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Comment 2•14 years ago
|
||
Reproduced with mozilla-central rev 4866be78732f and tracemonkey rev 67b102d581dd.
Assignee | ||
Comment 3•14 years ago
|
||
Assignee | ||
Comment 4•14 years ago
|
||
Comment on attachment 519564 [details] [diff] [review]
Patch
oops, wrong bug.
Attachment #519564 -
Attachment is obsolete: true
Attachment #519564 -
Flags: review?(jst)
Assignee | ||
Comment 5•14 years ago
|
||
This was the easiest fix.
Attachment #519573 -
Flags: review?(gal)
Updated•14 years ago
|
Attachment #519573 -
Flags: review?(gal) → review+
Comment 6•14 years ago
|
||
Is this a compartment-leaking security bug (sg:high or worse), or just an oops? I don't crash in an opt build, is "testcase (crashes Firefox when loaded)" simply a fatal assert in a debug build?
Comment 7•14 years ago
|
||
I think this can cause problems during GC with compartment GCs. Based on that alone I would say sg:something.
Assignee | ||
Comment 8•14 years ago
|
||
From talking to billm on IRC, operating on JS objects in the wrong compartment can cause us to collect reachable objects during GC. That's sg:critical. So, we should probably consider this as [sg:critical?]. Looking at the code, I'm not convinced that this case in particular is actually exploitable at all (and the result of the code that causes the assertion is thrown away anyway) but it's better to be safe than sorry.
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Assignee | ||
Comment 9•14 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Updated•14 years ago
|
Blocks: CVE-2011-2981
Comment 10•14 years ago
|
||
Per security group discussion, requesting landing on mozilla-2.0.
Updated•14 years ago
|
Attachment #519573 -
Flags: approval2.0?
Comment 11•14 years ago
|
||
Comment on attachment 519573 [details] [diff] [review]
Real patch
Approved for the mozilla2.0 repository, a=dveditz for release-drivers
Attachment #519573 -
Flags: approval2.0? → approval2.0+
Updated•13 years ago
|
Group: core-security
status1.9.2:
--- → unaffected
Updated•13 years ago
|
Target Milestone: --- → mozilla5
You need to log in
before you can comment on or make changes to this bug.
Description
•