Closed Bug 791845 Opened 7 years ago Closed 7 years ago

Assertions in JS_ValueToString called by mozMatchesSelectorStub

Categories

(Core :: XPConnect, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
firefox16 --- unaffected
firefox17 + fixed
firefox18 + fixed
firefox-esr10 --- unaffected

People

(Reporter: jruderman, Assigned: gkrizsanits)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [adv-track-main17-])

Attachments

(3 files)

Attached file testcase
The testcase asserts within JS_ValueToString called by mozMatchesSelectorStub.  Sometimes it's a compartment mismatch, sometimes it's a value assertion.

Assertion failure: (ptrBits & 0x7) == 0, at ../../../dist/include/jsval.h:708

Assertion failure: false (compartment mismatched), at /Users/jruderman/mozilla-central/js/src/jscntxtinlines.h:210

mozMatchesSelectorStub is not auto-generated; it was added in bug 763897.
Attached file stack trace
Over to gabor, per the regressing patch.
Assignee: nobody → gkrizsanits
Can I get a CC to bug 326633 ?
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #3)
> Can I get a CC to bug 326633 ?
That's just a metabug for one of Jesse's fuzzers. :)
Long story short, shame on me. I set the exception for <1 args before trying to call toString on the first arg, but forgot to return false.
Attachment #662076 - Flags: review?(bobbyholley+bmo)
Comment on attachment 662076 [details] [diff] [review]
mozMatchesSelectorStub should return false on error

Please convert Jesse's testcase into a crashtest and check it in with this fix. r=bholley with that.
Attachment #662076 - Flags: review?(bobbyholley+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/650b2238e845
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
We'll want this fix on Firefox 17 as well since that's where the regressing bug landed. Please request approval to land on that branch.
Keywords: sec-high
Comment on attachment 662076 [details] [diff] [review]
mozMatchesSelectorStub should return false on error

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 763897
User impact if declined: security bug if mozMatchesSelector through xray called with 0 args 
Testing completed (on m-c, etc.): green on try and on m-i
Risk to taking this patch (and alternatives if risky): trivial patch, minimal risk 
String or UUID changes made by this patch: none
Attachment #662076 - Flags: approval-mozilla-aurora?
Comment on attachment 662076 [details] [diff] [review]
mozMatchesSelectorStub should return false on error

[Triage Comment]
sec-high FF17 regression, approving for Aurora.
Attachment #662076 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Whiteboard: [adv-track-main17-]
Group: core-security
mass remove verifyme requests greater than 4 months old
Keywords: verifyme
You need to log in before you can comment on or make changes to this bug.