Closed Bug 868823 Opened 7 years ago Closed 7 years ago

Debugger unsafeDereference is unsafe with xrays

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 867771

People

(Reporter: evilpie, Unassigned)

References

Details

(Keywords: regression)

Crash Data

https://crash-stats.mozilla.com/report/index/bp-53ad29ed-bdd9-48e9-b7f2-d9d502130505

Happens on current nightly.
Steps to reproduce:
1) Go to google.com
2) Open Web Console
3) Type in window.content
4) Click on [object Window] (which should open a dialog with all attributes)
5) CRASH
This crash stack involves DebuggerObject_unsafeDereference, which was added in bug 837723 (Fx23).  That's the most recent code that has changed in the stack, so I'd guess that's at fault.  This is debugger-only, so maybe not really s-s in that case.

Aside from that, there is lots of Xray-y stuff in the stack.  Code from bug 836301 (Fx 22) is the most recently changed that I can see.
Keywords: regression
Summary: crash in js::CompartmentChecker::fail with window.content → Debugger unsafeDereference is unsafe with xrays
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 867771
Group: core-security
You need to log in before you can comment on or make changes to this bug.