Closed Bug 642022 Opened 9 years ago Closed 9 years ago
"Assertion failure: compartment mismatched" with Install
Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:545
Reproduced with mozilla-central rev 4866be78732f and tracemonkey rev 67b102d581dd.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #519564 - Flags: review?(jst)
Comment on attachment 519564 [details] [diff] [review] Patch oops, wrong bug.
This was the easiest fix.
Attachment #519573 - Flags: review?(gal)
Is this a compartment-leaking security bug (sg:high or worse), or just an oops? I don't crash in an opt build, is "testcase (crashes Firefox when loaded)" simply a fatal assert in a debug build?
I think this can cause problems during GC with compartment GCs. Based on that alone I would say sg:something.
From talking to billm on IRC, operating on JS objects in the wrong compartment can cause us to collect reachable objects during GC. That's sg:critical. So, we should probably consider this as [sg:critical?]. Looking at the code, I'm not convinced that this case in particular is actually exploitable at all (and the result of the code that causes the assertion is thrown away anyway) but it's better to be safe than sorry.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Comment on attachment 519573 [details] [diff] [review] Real patch Approved for the mozilla2.0 repository, a=dveditz for release-drivers
Attachment #519573 - Flags: approval2.0? → approval2.0+
You need to log in before you can comment on or make changes to this bug.