Closed
Bug 673503
Opened 14 years ago
Closed 14 years ago
WaiveXrayAndWrap can create illegal objects
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla8
People
(Reporter: mrbkap, Assigned: mrbkap)
Details
(Whiteboard: [inbound])
Attachments
(1 file)
|
1.98 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
WrapperFactory::WaiveXrayAndWrap attempts to do (basically) .wrappedJSObject from C++. However, in the case where an object has a prototype from a different compartment, it creates proxies whose prototypes are from the different compartment. This could be one cause of the bugs that billm has been tracking down.
I originally though that this could cause the assertion under JSWrapper::Trace, however, I don't think that's correct anymore. So it's likely that there's another bug lurking here.
|
Assignee | |
Comment 1•14 years ago
|
||
This is the easiest fix I could find. I decided to leave the assertions in to catch other bugs of this type later.
Attachment #547770 -
Flags: review?(wmccloskey)
Comment on attachment 547770 [details] [diff] [review]
Proposed fix
Review of attachment 547770 [details] [diff] [review]:
-----------------------------------------------------------------
Thanks, Blake. This also makes me realize that there are some GC compartment assertions that are still disabled in release builds. That's why we don't have any crash reports for proto pointers.
Comment on attachment 547770 [details] [diff] [review]
Proposed fix
Sorry, forgot to +.
Attachment #547770 -
Flags: review?(wmccloskey) → review+
|
|
Assignee | |
Comment 4•14 years ago
|
||
Whiteboard: [inbound]
|
||
Comment 5•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in
before you can comment on or make changes to this bug.
Description
•