822691 - "ABORT: wrong compartment" with setUserData on node whose __proto__ is from a different frame

Status: RESOLVED FIXED

(Core :: XPConnect, defect)

Description

[Jesse Ruderman]

Attachment: testcase (asserts fatally when loaded)

###!!! ABORT: wrong compartment: 'js::IsObjectInContextCompartment(scope, mJSContext)', file XPCInlines.h, line 110

(Related to bug 764307 / bug 645560?)

(I hope settable __proto__ isn't being standardized.)

Comment 1

[Jesse Ruderman]

Attachment: stack

Comment 2

[Boris Zbarsky [:bzbarsky]]

699   JS::Value result;
700   aError = nsContentUtils::XPConnect()->VariantToJS(aCx, GetWrapper(), oldData,
701                                                     &result);

So the key is that aCx comes in on the compartment of the proto, since that's where the method was found.  But GetWrapper() is in a different compartment....

We should be entering the compartment of GetWrapper() here, I think.  Sorry I missed that when reviewing.  :(

GetUserData has the same problem, afaict.

The good news is that I think this is trunk-only, since bug 812333 is Firefox 20 only.

Comment 3

[Boris Zbarsky [:bzbarsky]]

Oh, and I would think that doing get/setUserData via Xrays would have the same problem.

Comment 4

[Al Billings [:abillings - ex-MoCo]]

Boris, who can we assign this to?

Comment 5

[Boris Zbarsky [:bzbarsky]]

Attachment: Need to enter the right compartment before working with objects from it.

Comment 6

[Boris Zbarsky [:bzbarsky]]

This patch on its own fails tests because of bug 825025.  So I'll need to land that first.

Comment 7

[Boris Zbarsky [:bzbarsky]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/2618c84dd765

Comment 8

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/2618c84dd765