Closed
Bug 720305
Opened 13 years ago
Closed 13 years ago
"Assertion failure: compartment mismatched" with nodelist, custom length setter
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla12
People
(Reporter: jruderman, Assigned: mrbkap)
References
Details
(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa+])
Attachments
(4 files)
165 bytes,
text/html
|
Details | |
9.17 KB,
text/plain
|
Details | |
2.98 KB,
patch
|
Waldo
:
review+
akeybl
:
approval-mozilla-esr10+
mrbkap
:
checkin+
|
Details | Diff | Splinter Review |
867 bytes,
patch
|
Details | Diff | Splinter Review |
No description provided.
Reporter | ||
Comment 1•13 years ago
|
||
Assignee | ||
Comment 2•13 years ago
|
||
Waldo explained over IRC that the construct Object.defineProperty(..., ..., { set: undefined }); creates a property that has a null setter but attributes with JSPROP_SETTER (and ditto for getters). I didn't realize this when writing this code, so we need an additional check to get this right.
Updated•13 years ago
|
Comment 3•13 years ago
|
||
totally guessing at sg:high due to "compartment mismatch". help?
Comment 4•13 years ago
|
||
Comment on attachment 591148 [details] [diff] [review]
Proposed fix v1
Review of attachment 591148 [details] [diff] [review]:
-----------------------------------------------------------------
I so wish our property descriptor API were like the ECMA one.
Attachment #591148 -
Flags: review?(jwalden+bmo) → review+
Assignee | ||
Comment 5•13 years ago
|
||
(In reply to Daniel Veditz from comment #3)
> totally guessing at sg:high due to "compartment mismatch". help?
This might be critical: we're treating an object that isn't a JSObject as a JSObject.
Assignee | ||
Comment 6•13 years ago
|
||
Assignee | ||
Comment 7•13 years ago
|
||
Comment on attachment 591148 [details] [diff] [review]
Proposed fix v1
https://hg.mozilla.org/integration/mozilla-inbound/rev/8085a3fff93c
Attachment #591148 -
Flags: checkin+
Comment 8•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox11:
--- → wontfix
tracking-firefox-esr10:
--- → 12+
tracking-firefox11:
--- → -
tracking-firefox12:
--- → +
Whiteboard: [sg:high] → [sg:critical]
Comment 10•13 years ago
|
||
[Triage Comment]
If this is ready to land on ESR, please nominate as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Assignee | ||
Updated•13 years ago
|
Attachment #591148 -
Flags: approval-mozilla-esr10?
Updated•13 years ago
|
Attachment #591148 -
Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Assignee | ||
Comment 11•13 years ago
|
||
Updated•13 years ago
|
Updated•13 years ago
|
Group: core-security
Flags: in-testsuite?
Comment 12•13 years ago
|
||
Blocks: 756584
Flags: in-testsuite? → in-testsuite+
Comment 13•13 years ago
|
||
(In reply to Ryan VanderMeulen from comment #12)
> Crashtest:
> https://hg.mozilla.org/integration/mozilla-inbound/rev/72d9b373a2b8
https://hg.mozilla.org/mozilla-central/rev/72d9b373a2b8
Verified on 10 esr, 13 beta, and nightly on 10.7
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•