877378 - Compartment mismatch crash involving saveFrameChain

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

evalcx("\
    let z = 0;\
    z += 'x';\
    for (var v of z) {\
        y = evaluate(\"Object.defineProperty(this,\\\"y\\\",{ \
                            get:  function() {} \
                        } );\", { \
                            catchTermination: true,\
                            saveFrameChain: true\
                        }\
                    );\
        }",
    newGlobal('')
)

crashes js debug shell on m-c changeset 8d85de779506 without any CLI arguments at js::CompartmentChecker::fail (*** Compartment mismatch 0x101850400 vs. 0x101843c00 shown)

This testcase was previously filed as bug 876226 comment 8. Can all the testcases in that bug please be added to the testsuite?

(assuming also related to bug 875473)

Comment 2

[Jan de Mooij [:jandem]]

Attachment: Patch

Saving/restoring the frame chain can switch compartments, so we have to restore it before calling JS_WrapValue.

Comment 3

[Jan de Mooij [:jandem]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/1c4403cbda57

Comment 4

[Ryan VanderMeulen [:RyanVM]]

https://hg.mozilla.org/mozilla-central/rev/1c4403cbda57

Comment 5

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/71f2968c7359

Comment 6

[Benjamin Bouvier [:bbouvier] (inactive)]

(In reply to Ed Morley [:edmorley UTC+1] from comment #5)
> https://hg.mozilla.org/mozilla-central/rev/71f2968c7359

It seems that I made a mistake when writing the bug number in the commit message. This last push was actually for bug 877338. Sorry for the inconvenience.