Compartment mismatch crash involving saveFrameChain

RESOLVED FIXED in mozilla24

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: gkw, Assigned: jandem)

Tracking

(Blocks 1 bug, {crash, regression, testcase})

Trunk
mozilla24
x86_64
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

Posted file stack
evalcx("\
    let z = 0;\
    z += 'x';\
    for (var v of z) {\
        y = evaluate(\"Object.defineProperty(this,\\\"y\\\",{ \
                            get:  function() {} \
                        } );\", { \
                            catchTermination: true,\
                            saveFrameChain: true\
                        }\
                    );\
        }",
    newGlobal('')
)

crashes js debug shell on m-c changeset 8d85de779506 without any CLI arguments at js::CompartmentChecker::fail (*** Compartment mismatch 0x101850400 vs. 0x101843c00 shown)

This testcase was previously filed as bug 876226 comment 8. Can all the testcases in that bug please be added to the testsuite?

(assuming also related to bug 875473)
Flags: needinfo?(jdemooij)
Duplicate of this bug: 877381
Posted patch PatchSplinter Review
Saving/restoring the frame chain can switch compartments, so we have to restore it before calling JS_WrapValue.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #756474 - Flags: review?(luke)
Flags: needinfo?(jdemooij)
Attachment #756474 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/1c4403cbda57
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla24
(In reply to Ed Morley [:edmorley UTC+1] from comment #5)
> https://hg.mozilla.org/mozilla-central/rev/71f2968c7359

It seems that I made a mistake when writing the bug number in the commit message. This last push was actually for bug 877338. Sorry for the inconvenience.
You need to log in before you can comment on or make changes to this bug.