Closed
Bug 822691
Opened 12 years ago
Closed 12 years ago
"ABORT: wrong compartment" with setUserData on node whose __proto__ is from a different frame
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox19 | --- | unaffected |
| firefox20 | + | fixed |
| firefox-esr17 | --- | unaffected |
| b2g18 | --- | unaffected |
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(4 keywords, Whiteboard: [adv-main20-])
Attachments
(3 files)
###!!! ABORT: wrong compartment: 'js::IsObjectInContextCompartment(scope, mJSContext)', file XPCInlines.h, line 110
(Related to bug 764307 / bug 645560?)
(I hope settable __proto__ isn't being standardized.)
|
Reporter | |
Comment 1•12 years ago
|
||
|
Assignee | |
Comment 2•12 years ago
|
||
699 JS::Value result;
700 aError = nsContentUtils::XPConnect()->VariantToJS(aCx, GetWrapper(), oldData,
701 &result);
So the key is that aCx comes in on the compartment of the proto, since that's where the method was found. But GetWrapper() is in a different compartment....
We should be entering the compartment of GetWrapper() here, I think. Sorry I missed that when reviewing. :(
GetUserData has the same problem, afaict.
The good news is that I think this is trunk-only, since bug 812333 is Firefox 20 only.
Blocks: 812333
tracking-firefox20:
--- → ?
|
|
Assignee | |
Comment 3•12 years ago
|
||
Oh, and I would think that doing get/setUserData via Xrays would have the same problem.
|
||
Updated•12 years ago
|
status-firefox19:
--- → unaffected
status-firefox20:
--- → affected
|
|
||
Updated•12 years ago
|
Keywords: regression,
sec-critical
|
||
Comment 4•12 years ago
|
||
Boris, who can we assign this to?
|
|
Assignee | |
Comment 5•12 years ago
|
||
Attachment #695981 -
Flags: review?(bugs)
|
|
Assignee | |
Updated•12 years ago
|
Assignee: nobody → bzbarsky
Whiteboard: [need review]
|
||
Updated•12 years ago
|
Attachment #695981 -
Flags: review?(bugs) → review+
|
|
Assignee | |
Comment 6•12 years ago
|
||
This patch on its own fails tests because of bug 825025. So I'll need to land that first.
|
|
Assignee | |
Comment 7•12 years ago
|
||
Flags: in-testsuite+
Whiteboard: [need review]
Target Milestone: --- → mozilla20
|
||
Comment 8•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
|
||
Updated•12 years ago
|
|
||
Updated•12 years ago
|
status-b2g18:
--- → unaffected
status-firefox-esr17:
--- → unaffected
|
|
||
Updated•12 years ago
|
Whiteboard: [adv-main20-]
|
||
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•