Closed
Bug 925019
Opened 12 years ago
Closed 11 years ago
compartment mismatch when js::jit::DoCallFallback calls Invoke
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: mccr8, Unassigned)
References
Details
(Keywords: sec-other)
I see three of these crashes on crash-stats:
c00b701c-20c0-49fe-959c-e6fee2131005
4a9cbdbb-b54d-4282-8c2d-ddb4b2131005
3adfce7e-10d8-484b-be88-2c2932131008
DoCallFallback doesn't enter a compartment anywhere, so maybe that's the problem?
| Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
AFAICS the interpreter also doesn't enter a compartment for JSOP_CALL and friends before it calls Invoke.
Unfortunately the stack is not very helpful due to inlining :(
| Reporter | ||
Comment 3•12 years ago
|
||
Ah, I see. I suppose this could be another instance of the JSOP_CALL compartment mismatch I was seeing for a while. I was hoping there might be something useful in there. :)
| Reporter | ||
Comment 4•12 years ago
|
||
Marking sec-other because this sounds like one of these invoke crashes that are unactionable.
Keywords: sec-other
| Reporter | ||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → INCOMPLETE
Updated•10 years ago
|
Group: core-security → core-security-release
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•