"Assertion failure: p.found()" with gczeal and chrome-content interaction

RESOLVED FIXED in mozilla16

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: billm)

Tracking

({assertion, testcase})

Trunk
mozilla16
x86_64
Mac OS X
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js:p1:fx16])

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
Created attachment 627423 [details]
testcase (requires extension)

1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi (version 2012-05-25 or higher)

2. Load the testcase.

Result:

Assertion failure: p.found(), at js/src/jsproxy.cpp:1474
(Reporter)

Comment 1

5 years ago
Created attachment 627425 [details]
stack trace
(Assignee)

Updated

5 years ago
Assignee: general → wmccloskey

Comment 2

5 years ago
fwiw, I hit this on nightly winxp once at http://www.podnapisi.net/en/ppodnapisi/podnapis/i/1691083/showRelease/1/showYear/0/shortFormat/0/translateTitle/1 but it is not reproducible.
pseudo stack: proxy_TraceObject js::GCMarker::processMarkStackTop(js::SliceBudget&) js::GCMarker::drainMarkStack(js::SliceBudget&) NonIncrementalMark GCCycle
(Assignee)

Comment 3

5 years ago
Created attachment 633277 [details] [diff] [review]
fix

The assertion is saying that every cross-compartment wrapper should be registered in the wrapper map. This invariant is temporarily violated when creating the wrapper. We can GC during the period when it's violated.

I don't think this is a problem. The object being wrapped should always be on the stack during the violation, so any GC at that time is guaranteed to scan the wrapped object. That's all we really care about, so I think we're safe.

This patch just keeps a count of how many invocations of JSCompartment::wrap are on the stack. If this number is non-zero, then we don't do the assertion.
Attachment #633277 - Flags: review?(luke)

Updated

5 years ago
Attachment #633277 - Flags: review?(luke) → review+
Whiteboard: [js:p1:fx16]
(Assignee)

Comment 4

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/57054d8b1582

Also, this is not sensitive.
Group: core-security
Target Milestone: --- → mozilla16

Comment 5

5 years ago
https://hg.mozilla.org/mozilla-central/rev/57054d8b1582
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.