The testcase asserts within JS_ValueToString called by mozMatchesSelectorStub. Sometimes it's a compartment mismatch, sometimes it's a value assertion. Assertion failure: (ptrBits & 0x7) == 0, at ../../../dist/include/jsval.h:708 Assertion failure: false (compartment mismatched), at /Users/jruderman/mozilla-central/js/src/jscntxtinlines.h:210 mozMatchesSelectorStub is not auto-generated; it was added in bug 763897.

Over to gabor, per the regressing patch.

Can I get a CC to bug 326633 ?

(In reply to Gabor Krizsanits [:krizsa :gabor] from comment #3) > Can I get a CC to bug 326633 ? That's just a metabug for one of Jesse's fuzzers. :)

Long story short, shame on me. I set the exception for <1 args before trying to call toString on the first arg, but forgot to return false.

Comment on attachment 662076 [details] [diff] [review] mozMatchesSelectorStub should return false on error Please convert Jesse's testcase into a crashtest and check it in with this fix. r=bholley with that.

https://tbpl.mozilla.org/?tree=Try&rev=44d930e08ba4 http://hg.mozilla.org/integration/mozilla-inbound/rev/650b2238e845

We'll want this fix on Firefox 17 as well since that's where the regressing bug landed. Please request approval to land on that branch.

Comment on attachment 662076 [details] [diff] [review] mozMatchesSelectorStub should return false on error [Approval Request Comment] Bug caused by (feature/regressing bug #): 763897 User impact if declined: security bug if mozMatchesSelector through xray called with 0 args Testing completed (on m-c, etc.): green on try and on m-i Risk to taking this patch (and alternatives if risky): trivial patch, minimal risk String or UUID changes made by this patch: none

Comment on attachment 662076 [details] [diff] [review] mozMatchesSelectorStub should return false on error [Triage Comment] sec-high FF17 regression, approving for Aurora.

mass remove verifyme requests greater than 4 months old