Created attachment 632588 [details] browser testcase (crashes when loaded, in a random way) This testcase hits the "compartment mismatch" assertion. Or crashes trying to evaluate that assertion. Or crashes somewhere else. The first bad revision is: changeset: 1bdd81c4d926 user: Bobby Holley date: Tue Jun 12 15:44:14 2012 +0200 summary: Bug 762432 - Handle proxies on __lookupGetter__ and __lookupSetter__. r=jorendorff
Created attachment 632589 [details] shell testcase You have to feed this to the shell using "<". I even tried evaluate() with various options and could not get it to crash. I would like to know why, so I can improve jsfunfuzz if needed.
Created attachment 633108 [details] [diff] [review] patch v1
Attachment #633108 - Flags: review?(jorendorff)
I couldn't write a reliable crashtest for this. :-(
Eh? Both testcases are reliable for me.
(In reply to Jesse Ruderman from comment #4) > Eh? Both testcases are reliable for me. Yeah, but when I converted the browser one to a crashtest it didn't crash for some reason. I'm pretty swamped with security stuff at the moment so I decided to cut my losses and stop messing around with it.
For me, the patch fixes a valgrind warning for "./js a.js", and a crash (both in and out of valgrind) for "./js < a.js".
I'd just check in the shell testcase and hope we (eventually) do runs under Valgrind often enough.
status-firefox-esr10: --- → unaffected
status-firefox15: --- → unaffected
status-firefox16: --- → affected
tracking-firefox16: --- → +
Attachment #633108 - Flags: review?(jorendorff) → review+
Assignee: general → bobbyholley+bmo
Target Milestone: --- → mozilla16
Status: NEW → RESOLVED
Last Resolved: 6 years ago
status-firefox16: affected → fixed
Resolution: --- → FIXED
Verified fixed in 6-19 jsshell.
Status: RESOLVED → VERIFIED
Whiteboard: [fuzzblocker] → [fuzzblocker][advisory-tracking-]
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug764289.js.
You need to log in before you can comment on or make changes to this bug.