Debugger unsafeDereference is unsafe with xrays

RESOLVED DUPLICATE of bug 867771

Status

()

RESOLVED DUPLICATE of bug 867771
6 years ago
4 years ago

People

(Reporter: evilpie, Unassigned)

Tracking

(Blocks: 1 bug, {regression})

Trunk
x86_64
Linux
regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

6 years ago
https://crash-stats.mozilla.com/report/index/bp-53ad29ed-bdd9-48e9-b7f2-d9d502130505

Happens on current nightly.
Steps to reproduce:
1) Go to google.com
2) Open Web Console
3) Type in window.content
4) Click on [object Window] (which should open a dialog with all attributes)
5) CRASH
This crash stack involves DebuggerObject_unsafeDereference, which was added in bug 837723 (Fx23).  That's the most recent code that has changed in the stack, so I'd guess that's at fault.  This is debugger-only, so maybe not really s-s in that case.

Aside from that, there is lots of Xray-y stuff in the stack.  Code from bug 836301 (Fx 22) is the most recently changed that I can see.
Keywords: regression
Summary: crash in js::CompartmentChecker::fail with window.content → Debugger unsafeDereference is unsafe with xrays
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 867771
Group: core-security
You need to log in before you can comment on or make changes to this bug.