If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Debugger unsafeDereference is unsafe with xrays

RESOLVED DUPLICATE of bug 867771

Status

()

Core
JavaScript Engine
RESOLVED DUPLICATE of bug 867771
5 years ago
2 years ago

People

(Reporter: evilpie, Unassigned)

Tracking

(Blocks: 1 bug, {regression})

Trunk
x86_64
Linux
regression
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(crash signature)

(Reporter)

Description

5 years ago
https://crash-stats.mozilla.com/report/index/bp-53ad29ed-bdd9-48e9-b7f2-d9d502130505

Happens on current nightly.
Steps to reproduce:
1) Go to google.com
2) Open Web Console
3) Type in window.content
4) Click on [object Window] (which should open a dialog with all attributes)
5) CRASH
This crash stack involves DebuggerObject_unsafeDereference, which was added in bug 837723 (Fx23).  That's the most recent code that has changed in the stack, so I'd guess that's at fault.  This is debugger-only, so maybe not really s-s in that case.

Aside from that, there is lots of Xray-y stuff in the stack.  Code from bug 836301 (Fx 22) is the most recently changed that I can see.
Keywords: regression
Summary: crash in js::CompartmentChecker::fail with window.content → Debugger unsafeDereference is unsafe with xrays
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 867771
Group: core-security
You need to log in before you can comment on or make changes to this bug.