WaiveXrayAndWrap can create illegal objects

RESOLVED FIXED in mozilla8

Status

()

Core
XPConnect
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: mrbkap, Assigned: mrbkap)

Tracking

Trunk
mozilla8
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [inbound])

Attachments

(1 attachment)

(Assignee)

Description

6 years ago
WrapperFactory::WaiveXrayAndWrap attempts to do (basically) .wrappedJSObject from C++. However, in the case where an object has a prototype from a different compartment, it creates proxies whose prototypes are from the different compartment. This could be one cause of the bugs that billm has been tracking down.

I originally though that this could cause the assertion under JSWrapper::Trace, however, I don't think that's correct anymore. So it's likely that there's another bug lurking here.
(Assignee)

Comment 1

6 years ago
Created attachment 547770 [details] [diff] [review]
Proposed fix

This is the easiest fix I could find. I decided to leave the assertions in to catch other bugs of this type later.
Attachment #547770 - Flags: review?(wmccloskey)
Comment on attachment 547770 [details] [diff] [review]
Proposed fix

Review of attachment 547770 [details] [diff] [review]:
-----------------------------------------------------------------

Thanks, Blake. This also makes me realize that there are some GC compartment assertions that are still disabled in release builds. That's why we don't have any crash reports for proto pointers.
Comment on attachment 547770 [details] [diff] [review]
Proposed fix

Sorry, forgot to +.
Attachment #547770 - Flags: review?(wmccloskey) → review+
(Assignee)

Comment 4

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/14e7c0070059
Whiteboard: [inbound]
http://hg.mozilla.org/mozilla-central/rev/14e7c0070059
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.