Crash with instanceof and WindowProxy of sandboxed frame
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox65 | --- | unaffected |
firefox66 | --- | unaffected |
firefox67 | --- | fixed |
People
(Reporter: annevk, Assigned: bzbarsky)
References
Details
(Keywords: regression)
Attachments
(1 file)
(deleted),
text/x-phabricator-request
|
Details |
Navigate to data:text/html,<iframe sandbox></iframe><script>alert(frames[0] instanceof frames[0])</script>
Expected: no crash.
bz, is this perhaps related to the WindowProxy refactoring?
Reporter | ||
Updated•6 years ago
|
Assignee | ||
Comment 1•6 years ago
|
||
Yes. I had discovered this independently just a few minutes ago...
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 3•6 years ago
|
||
Just for my records, the relevant stack bit is:
#8 0x00007f1f6e0c124d in js::ReportIsNotFunction(JSContext*, JS::Handle<JS::Value>) (cx=0x7f1f56525000, v=...)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/jsfriendapi.cpp:1277
#9 0x00007f1f6d923677 in JS::InstanceofOperator(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:847
#10 0x00007f1f6d92396b in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:860
#11 0x00007f1f6e0fb1e5 in js::ForwardingProxyHandler::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) const (this=0x7f1f71800988 <nsOuterWindowProxy::singleton>, cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Wrapper.cpp:221
#12 0x00007f1f6e0e9795 in js::Proxy::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) (cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897) at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Proxy.cpp:547
#13 0x00007f1f6d92391d in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:858
#14 0x00007f1f6e0fb1e5 in js::ForwardingProxyHandler::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) const (this=0x7f1f717a92a0 <xpc::CrossOriginObjectWrapper::singleton>, cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897)
at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Wrapper.cpp:221
#15 0x00007f1f6e0e9795 in js::Proxy::hasInstance(JSContext*, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>, bool*) (cx=0x7f1f56525000, proxy=..., v=..., bp=0x7ffe33a84897) at /home/bzbarsky/mozilla/debug/mozilla/js/src/proxy/Proxy.cpp:547
#16 0x00007f1f6d92391d in js::HasInstance(JSContext*, JS::Handle<JSObject*>, JS::Handle<JS::Value>, bool*) (cx=0x7f1f56525000, obj=..., v=..., bp=0x7ffe33a84897) at ../../../mozilla/js/src/vm/Interpreter.cpp:858
and then we fail a compartment check, as expected given that stack.
Assignee | ||
Comment 4•6 years ago
|
||
Comment 6•6 years ago
|
||
bugherder |
Updated•6 years ago
|
Updated•6 years ago
|
Description
•