Closed Bug 951632 Opened 6 years ago Closed 6 years ago

Crash [@ fail] with compartment mismatch involving setObjectMetadataCallback

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla29

People

(Reporter: decoder, Assigned: jandem)

References

(Blocks 1 open bug)

Details

(Keywords: crash, testcase, Whiteboard: [jsbugmon:update])

Crash Data

Attachments

(2 files)

The following testcase crashes on mozilla-central revision 862cb6a1cc88 (run with --fuzzing-safe):


setObjectMetadataCallback(function(obj) {});
var g = newGlobal()
g.eval("function f(a) { h(); return a + b + c; }");
g.h = function () {
    n >= 4;
};
g.f(5);
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/bec71542c055
user:        Brian Hackett
date:        Sat Dec 14 16:29:43 2013 -0800
summary:     Bug 950118 - Don't allow the object metadata hook to reenter JS, r=jimb.

This iteration took 337.221 seconds to run.
Attached patch PatchSplinter Review
ShellObjectMetadataCallback returns an object with a "stack" property that's an array of functions on the stack. This patch makes us skip functions from other compartments. This code is all just for testing.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8357303 - Flags: review?(luke)
Attachment #8357303 - Flags: review?(luke) → review+
https://hg.mozilla.org/mozilla-central/rev/b76b2eb15da3
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Duplicate of this bug: 953255
Duplicate of this bug: 957716
You need to log in before you can comment on or make changes to this bug.