Created attachment 519561 [details] testcase (crashes Firefox when loaded) Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:545
Reproduced with mozilla-central rev 4866be78732f and tracemonkey rev 67b102d581dd.
Created attachment 519564 [details] [diff] [review] Patch
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #519564 - Flags: review?(jst)
Comment on attachment 519564 [details] [diff] [review] Patch oops, wrong bug.
Created attachment 519573 [details] [diff] [review] Real patch This was the easiest fix.
Attachment #519573 - Flags: review?(gal)
Is this a compartment-leaking security bug (sg:high or worse), or just an oops? I don't crash in an opt build, is "testcase (crashes Firefox when loaded)" simply a fatal assert in a debug build?
I think this can cause problems during GC with compartment GCs. Based on that alone I would say sg:something.
From talking to billm on IRC, operating on JS objects in the wrong compartment can cause us to collect reachable objects during GC. That's sg:critical. So, we should probably consider this as [sg:critical?]. Looking at the code, I'm not convinced that this case in particular is actually exploitable at all (and the result of the code that causes the assertion is thrown away anyway) but it's better to be safe than sorry.
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Per security group discussion, requesting landing on mozilla-2.0.
status2.0: --- → ?
Comment on attachment 519573 [details] [diff] [review] Real patch Approved for the mozilla2.0 repository, a=dveditz for release-drivers
Attachment #519573 - Flags: approval2.0? → approval2.0+
status1.9.2: --- → unaffected
Target Milestone: --- → mozilla5
You need to log in before you can comment on or make changes to this bug.