Last Comment Bug 673503 - WaiveXrayAndWrap can create illegal objects
: WaiveXrayAndWrap can create illegal objects
Status: RESOLVED FIXED
[inbound]
:
Product: Core
Classification: Components
Component: XPConnect (show other bugs)
: Trunk
: x86_64 Linux
: -- normal (vote)
: mozilla8
Assigned To: Blake Kaplan (:mrbkap)
:
Mentors:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-07-22 12:12 PDT by Blake Kaplan (:mrbkap)
Modified: 2011-07-27 03:44 PDT (History)
2 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Proposed fix (1.98 KB, patch)
2011-07-22 12:25 PDT, Blake Kaplan (:mrbkap)
wmccloskey: review+
Details | Diff | Splinter Review

Description Blake Kaplan (:mrbkap) 2011-07-22 12:12:15 PDT
WrapperFactory::WaiveXrayAndWrap attempts to do (basically) .wrappedJSObject from C++. However, in the case where an object has a prototype from a different compartment, it creates proxies whose prototypes are from the different compartment. This could be one cause of the bugs that billm has been tracking down.

I originally though that this could cause the assertion under JSWrapper::Trace, however, I don't think that's correct anymore. So it's likely that there's another bug lurking here.
Comment 1 Blake Kaplan (:mrbkap) 2011-07-22 12:25:55 PDT
Created attachment 547770 [details] [diff] [review]
Proposed fix

This is the easiest fix I could find. I decided to leave the assertions in to catch other bugs of this type later.
Comment 2 Bill McCloskey (:billm) 2011-07-22 14:22:34 PDT
Comment on attachment 547770 [details] [diff] [review]
Proposed fix

Review of attachment 547770 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks, Blake. This also makes me realize that there are some GC compartment assertions that are still disabled in release builds. That's why we don't have any crash reports for proto pointers.
Comment 3 Bill McCloskey (:billm) 2011-07-22 17:28:02 PDT
Comment on attachment 547770 [details] [diff] [review]
Proposed fix

Sorry, forgot to +.
Comment 5 Marco Bonardo [::mak] (Away 6-20 Aug) 2011-07-27 03:44:13 PDT
http://hg.mozilla.org/mozilla-central/rev/14e7c0070059

Note You need to log in before you can comment on or make changes to this bug.