Closed
Bug 791845
Opened 12 years ago
Closed 12 years ago
Assertions in JS_ValueToString called by mozMatchesSelectorStub
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | + | fixed |
firefox18 | + | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: jruderman, Assigned: gkrizsanits)
References
Details
(4 keywords, Whiteboard: [adv-track-main17-])
Attachments
(3 files)
(deleted),
text/html
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
bholley
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The testcase asserts within JS_ValueToString called by mozMatchesSelectorStub. Sometimes it's a compartment mismatch, sometimes it's a value assertion.
Assertion failure: (ptrBits & 0x7) == 0, at ../../../dist/include/jsval.h:708
Assertion failure: false (compartment mismatched), at /Users/jruderman/mozilla-central/js/src/jscntxtinlines.h:210
mozMatchesSelectorStub is not auto-generated; it was added in bug 763897.
Reporter | ||
Comment 1•12 years ago
|
||
Assignee | ||
Comment 3•12 years ago
|
||
Can I get a CC to bug 326633 ?
Comment 4•12 years ago
|
||
(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #3)
> Can I get a CC to bug 326633 ?
That's just a metabug for one of Jesse's fuzzers. :)
Assignee | ||
Comment 5•12 years ago
|
||
Long story short, shame on me. I set the exception for <1 args before trying to call toString on the first arg, but forgot to return false.
Attachment #662076 -
Flags: review?(bobbyholley+bmo)
Comment 6•12 years ago
|
||
Comment on attachment 662076 [details] [diff] [review]
mozMatchesSelectorStub should return false on error
Please convert Jesse's testcase into a crashtest and check it in with this fix. r=bholley with that.
Attachment #662076 -
Flags: review?(bobbyholley+bmo) → review+
Assignee | ||
Comment 7•12 years ago
|
||
Assignee | ||
Comment 8•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Comment 9•12 years ago
|
||
We'll want this fix on Firefox 17 as well since that's where the regressing bug landed. Please request approval to land on that branch.
status-firefox16:
--- → unaffected
status-firefox17:
--- → affected
status-firefox18:
--- → fixed
tracking-firefox17:
--- → +
tracking-firefox18:
--- → +
Keywords: regression
Assignee | ||
Comment 10•12 years ago
|
||
Comment on attachment 662076 [details] [diff] [review]
mozMatchesSelectorStub should return false on error
[Approval Request Comment]
Bug caused by (feature/regressing bug #): 763897
User impact if declined: security bug if mozMatchesSelector through xray called with 0 args
Testing completed (on m-c, etc.): green on try and on m-i
Risk to taking this patch (and alternatives if risky): trivial patch, minimal risk
String or UUID changes made by this patch: none
Attachment #662076 -
Flags: approval-mozilla-aurora?
Comment 11•12 years ago
|
||
Comment on attachment 662076 [details] [diff] [review]
mozMatchesSelectorStub should return false on error
[Triage Comment]
sec-high FF17 regression, approving for Aurora.
Attachment #662076 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 12•12 years ago
|
||
Updated•12 years ago
|
Updated•12 years ago
|
Whiteboard: [adv-track-main17-]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•