Closed Bug 868823 Opened 12 years ago Closed 12 years ago

Debugger unsafeDereference is unsafe with xrays

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 867771

People

(Reporter: evilpie, Unassigned)

References

Details

(Keywords: regression)

Crash Data

https://crash-stats.mozilla.com/report/index/bp-53ad29ed-bdd9-48e9-b7f2-d9d502130505 Happens on current nightly. Steps to reproduce: 1) Go to google.com 2) Open Web Console 3) Type in window.content 4) Click on [object Window] (which should open a dialog with all attributes) 5) CRASH
This crash stack involves DebuggerObject_unsafeDereference, which was added in bug 837723 (Fx23). That's the most recent code that has changed in the stack, so I'd guess that's at fault. This is debugger-only, so maybe not really s-s in that case. Aside from that, there is lots of Xray-y stuff in the stack. Code from bug 836301 (Fx 22) is the most recently changed that I can see.
Keywords: regression
Summary: crash in js::CompartmentChecker::fail with window.content → Debugger unsafeDereference is unsafe with xrays
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.