Closed Bug 720305 Opened 13 years ago Closed 13 years ago

"Assertion failure: compartment mismatched" with nodelist, custom length setter

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla12
Tracking Flags:
Tracking Status
firefox11 - wontfix
firefox12 + verified
firefox-esr10 12+ verified
status1.9.2 --- unaffected

People

(Reporter: jruderman, Assigned: mrbkap)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa+])

Attachments

(4 files)

testcase (asserts fatally when loaded)
165 bytes, text/html
Details
stack trace
9.17 KB, text/plain
Details
Proposed fix v1
2.98 KB, patch
Waldo
: review+
akeybl
: approval-mozilla-esr10+
mrbkap
: checkin+
Details | Diff | Splinter Review
crashtest
867 bytes, patch
Details | Diff | Splinter Review
No description provided.
Attached file stack trace
Attached patch Proposed fix v1Splinter Review
Waldo explained over IRC that the construct Object.defineProperty(..., ..., { set: undefined }); creates a property that has a null setter but attributes with JSPROP_SETTER (and ditto for getters). I didn't realize this when writing this code, so we need an additional check to get this right.
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #591148 - Flags: review?(jwalden+bmo)
status1.9.2: --- → unaffected
status-firefox12: --- → affected
Whiteboard: [sg:high]
totally guessing at sg:high due to "compartment mismatch". help?
Comment on attachment 591148 [details] [diff] [review] Proposed fix v1 Review of attachment 591148 [details] [diff] [review]: ----------------------------------------------------------------- I so wish our property descriptor API were like the ECMA one.
Attachment #591148 - Flags: review?(jwalden+bmo) → review+
(In reply to Daniel Veditz from comment #3) > totally guessing at sg:high due to "compartment mismatch". help? This might be critical: we're treating an object that isn't a JSObject as a JSObject.
Attached patch crashtestSplinter Review
https://hg.mozilla.org/mozilla-central/rev/8085a3fff93c
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
status-firefox-esr10: --- → affected
status-firefox11: --- → wontfix
status-firefox12: affectedfixed
tracking-firefox-esr10: --- → 12+
tracking-firefox11: --- → -
tracking-firefox12: --- → +
Whiteboard: [sg:high] → [sg:critical]
[Triage Comment] If this is ready to land on ESR, please nominate as per https://wiki.mozilla.org/Release_Management/ESR_Landing_Process
Whiteboard: [sg:critical] → [sg:critical][qa+]
Attachment #591148 - Flags: approval-mozilla-esr10?
Attachment #591148 - Flags: approval-mozilla-esr10? → approval-mozilla-esr10+
Blocks: 756584
Group: core-security
Flags: in-testsuite?
No longer blocks: 756584
Crashtest: https://hg.mozilla.org/integration/mozilla-inbound/rev/72d9b373a2b8
Blocks: 756584
Flags: in-testsuite? → in-testsuite+
Verified on 10 esr, 13 beta, and nightly on 10.7
Status: RESOLVED → VERIFIED
status-firefox-esr10: fixedverified
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: