Closed Bug 791845 Opened 7 years ago Closed 7 years ago
Assertions in JS
_Value To String called by moz Matches Selector Stub
The testcase asserts within JS_ValueToString called by mozMatchesSelectorStub. Sometimes it's a compartment mismatch, sometimes it's a value assertion. Assertion failure: (ptrBits & 0x7) == 0, at ../../../dist/include/jsval.h:708 Assertion failure: false (compartment mismatched), at /Users/jruderman/mozilla-central/js/src/jscntxtinlines.h:210 mozMatchesSelectorStub is not auto-generated; it was added in bug 763897.
Over to gabor, per the regressing patch.
Assignee: nobody → gkrizsanits
Can I get a CC to bug 326633 ?
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #3) > Can I get a CC to bug 326633 ? That's just a metabug for one of Jesse's fuzzers. :)
Long story short, shame on me. I set the exception for <1 args before trying to call toString on the first arg, but forgot to return false.
Attachment #662076 - Flags: review?(bobbyholley+bmo)
Comment on attachment 662076 [details] [diff] [review] mozMatchesSelectorStub should return false on error Please convert Jesse's testcase into a crashtest and check it in with this fix. r=bholley with that.
Attachment #662076 - Flags: review?(bobbyholley+bmo) → review+
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
We'll want this fix on Firefox 17 as well since that's where the regressing bug landed. Please request approval to land on that branch.
Comment on attachment 662076 [details] [diff] [review] mozMatchesSelectorStub should return false on error [Approval Request Comment] Bug caused by (feature/regressing bug #): 763897 User impact if declined: security bug if mozMatchesSelector through xray called with 0 args Testing completed (on m-c, etc.): green on try and on m-i Risk to taking this patch (and alternatives if risky): trivial patch, minimal risk String or UUID changes made by this patch: none
Attachment #662076 - Flags: approval-mozilla-aurora?
Comment on attachment 662076 [details] [diff] [review] mozMatchesSelectorStub should return false on error [Triage Comment] sec-high FF17 regression, approving for Aurora.
Attachment #662076 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
mass remove verifyme requests greater than 4 months old
You need to log in before you can comment on or make changes to this bug.