Crash [@ fail] with compartment mismatch involving setObjectMetadataCallback

RESOLVED FIXED in mozilla29

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
mozilla29
x86_64
Linux
crash, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [jsbugmon:update], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

4 years ago
The following testcase crashes on mozilla-central revision 862cb6a1cc88 (run with --fuzzing-safe):


setObjectMetadataCallback(function(obj) {});
var g = newGlobal()
g.eval("function f(a) { h(); return a + b + c; }");
g.h = function () {
    n >= 4;
};
g.f(5);
(Reporter)

Comment 1

4 years ago
Created attachment 8349359 [details]
[crash-signature] Machine-readable crash signature
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect]
(Reporter)

Updated

4 years ago
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
(Reporter)

Comment 2

4 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   http://hg.mozilla.org/mozilla-central/rev/bec71542c055
user:        Brian Hackett
date:        Sat Dec 14 16:29:43 2013 -0800
summary:     Bug 950118 - Don't allow the object metadata hook to reenter JS, r=jimb.

This iteration took 337.221 seconds to run.
(Assignee)

Comment 3

4 years ago
Created attachment 8357303 [details] [diff] [review]
Patch

ShellObjectMetadataCallback returns an object with a "stack" property that's an array of functions on the stack. This patch makes us skip functions from other compartments. This code is all just for testing.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8357303 - Flags: review?(luke)

Updated

4 years ago
Attachment #8357303 - Flags: review?(luke) → review+
(Assignee)

Comment 4

4 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/b76b2eb15da3
https://hg.mozilla.org/mozilla-central/rev/b76b2eb15da3
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
(Assignee)

Updated

4 years ago
Duplicate of this bug: 953255
(Reporter)

Updated

4 years ago
Duplicate of this bug: 957716

Comment 8

4 years ago
https://hg.mozilla.org/mozilla-central/diff/b76b2eb15da3/js/src/jit-test/tests/basic/bug951632.js
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.