Closed
Bug 780288
Opened 12 years ago
Closed 12 years ago
"Assertion failure: false (compartment mismatched)," or "Assertion failure: JSVAL_IS_OBJECT_OR_NULL_IMPL(JSVAL_TO_IMPL(v)),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla17
People
(Reporter: gkw, Assigned: luke)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [shell only])
Attachments
(3 files)
s = newGlobal() try { evalcx("\ Object.defineProperty(this,\"i\",{enumerable:true,get:function(){t}});\ for each(y in this)true\ ", s) } catch (e) {} try { evalcx("\ for(z=0,(7).watch(\"\",eval);;g){\ if(z=1){({t:function(){}})\ }\ ", s) } catch (e) {} try { evalcx("\ Object.defineProperty(this,\"g2\",{get:function(){return this}});\ g2.y()\ ", s) } catch (e) {} asserts js debug shell on m-c changeset 030feb4315fc without any CLI arguments at Assertion failure: false (compartment mismatched), while a variant asserts at Assertion failure: JSVAL_IS_OBJECT_OR_NULL_IMPL(JSVAL_TO_IMPL(v)) : s = newGlobal() try { evalcx("\ Object.defineProperty(this,\"i\",{enumerable:true,get:function(){t}});\ for each(y in this)true\ ", s) } catch (e) {} try { evalcx("\ for(z=0,(7).watch(\"\",eval);;g){\ if(z=1){({t:function(){}})\ }\ ", s) } catch (e) {} try { evalcx("\ Object.defineProperty(this,\"g2\",{get:function(){return this}});\ g2.y(\"\")\ ", s) } catch (e) {}
Reporter | ||
Updated•12 years ago
|
Group: core-security
Keywords: assertion
Summary: "Assertion failure: false (compartment mismatched)," or "Assertion failure: JSVAL_IS_OBJECT_OR_NULL_IMPL(JSVAL_TO_IMPL(v)), → "Assertion failure: false (compartment mismatched)," or "Assertion failure: JSVAL_IS_OBJECT_OR_NULL_IMPL(JSVAL_TO_IMPL(v)),"
Reporter | ||
Comment 1•12 years ago
|
||
Locking s-s because compartment mismatched bugs are usually bad.
status-firefox17:
--- → affected
Reporter | ||
Comment 2•12 years ago
|
||
(not sure which one is correct) Regression window of the first testcase in comment 0: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 97470:68c396f305f4 user: Luke Wagner date: Wed Jun 20 08:57:29 2012 -0700 summary: Bug 755186 - rm JS_NewGlobalObject (r=jorendorff) Regression window of the second testcase in comment 0: The first bad revision is: changeset: 101160:a91040f69ea3 user: Steve Fink date: Mon Jul 23 13:37:31 2012 -0700 summary: Bug 777219 - Prepare SpiderMonkey for a fully rooted API; r=bhackett
Assignee | ||
Comment 3•12 years ago
|
||
Does this reproduce for you on anything other than 32-bit windows? I can't repro on 64-bit debug linux.
By the way, it's really useful to have a stack trace along with bugs like this.
Reporter | ||
Comment 5•12 years ago
|
||
Stack for "Assertion failure: false (compartment mismatched)," Sorry for missing out the stack, also repros in m-c changeset a7fadfbad932
Reporter | ||
Comment 6•12 years ago
|
||
Stack for "Assertion failure: JSVAL_IS_OBJECT_OR_NULL_IMPL(JSVAL_TO_IMPL(v)),"
Reporter | ||
Comment 7•12 years ago
|
||
(In reply to Luke Wagner [:luke] from comment #3) > Does this reproduce for you on anything other than 32-bit windows? I can't > repro on 64-bit debug linux. I don't think I can check this till next week.
Assignee | ||
Comment 8•12 years ago
|
||
These both seem related to the Help() shell function...
Assignee | ||
Comment 9•12 years ago
|
||
Oh, heh: - for comment 5, I suspect the problem is that JS_GetGlobalObject(cx) can be in a different compartment than cx, so we need to AutoEnterCompartment - for comment 7, I think we need to check JSVAL_IS_PRIMITIVE before calling JSVAL_TO_OBJECT
Comment 10•12 years ago
|
||
I'm going to guess at sec-moderate because comment 8 seems to say this specific testcase isn't a problem in release builds, but comment 9 is saying there might be a more generic issue underlying it.
Keywords: sec-moderate
Assignee | ||
Comment 11•12 years ago
|
||
Oh, no, comment 9 is just commenting on two bugs in the shell function Help().
Comment 12•12 years ago
|
||
I'm going to mark it sec-critical then due to the compartment mismatch.
Keywords: sec-moderate → sec-critical
Assignee | ||
Comment 13•12 years ago
|
||
The compartment mismatch is caused by the shell function, so I don't think it's s-s. I'll just write a patch and see if I'm right; I was just eye-balling it in comment 9.
Assignee | ||
Comment 14•12 years ago
|
||
I can't repro the crash so I can't verify the assert, but this patch fixes the two flagrant bugs. Gary: can you verify?
Attachment #650669 -
Flags: feedback?(gary)
Reporter | ||
Comment 15•12 years ago
|
||
Comment on attachment 650669 [details] [diff] [review] maybe fix I verify that the 2 asserts are indeed fixed by this patch, thanks Luke!
Attachment #650669 -
Flags: feedback?(gary) → feedback+
Assignee | ||
Comment 16•12 years ago
|
||
Comment on attachment 650669 [details] [diff] [review] maybe fix (Assume I add the test-cases)
Attachment #650669 -
Flags: review?(wmccloskey)
Assignee | ||
Comment 17•12 years ago
|
||
comment 15 confirms comment 13, so removing s-s.
Group: core-security
Updated•12 years ago
|
Keywords: sec-critical
Updated•12 years ago
|
Whiteboard: [shell only]
Attachment #650669 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 18•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/bb4c98f406c0
Severity: critical → minor
Target Milestone: --- → mozilla17
Comment 19•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/bb4c98f406c0
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox17:
affected → ---
Reporter | ||
Comment 20•12 years ago
|
||
Testcases have been added to the testsuite -> VERIFIED.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Reporter | ||
Updated•12 years ago
|
Assignee: general → luke
You need to log in
before you can comment on or make changes to this bug.
Description
•