Closed
Bug 1018085
Opened 10 years ago
Closed 10 years ago
"ASSERTION: Inner window supports nsWrapperCache, fix WrapObject!"
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
VERIFIED
FIXED
mozilla33
Tracking | Status | |
---|---|---|
firefox31 | --- | unaffected |
firefox32 | --- | verified |
firefox33 | --- | verified |
firefox-esr24 | --- | unaffected |
b2g-v1.3 | --- | unaffected |
b2g-v1.3T | --- | unaffected |
b2g-v1.4 | --- | unaffected |
b2g-v2.0 | --- | fixed |
b2g-v2.1 | --- | fixed |
People
(Reporter: jruderman, Assigned: peterv)
References
Details
(4 keywords)
Attachments
(3 files, 1 obsolete file)
(deleted),
text/html
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
bzbarsky
:
review+
lmandel
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
1. Create a profile with the prefs: user_pref("dom.min_background_timeout_value", 4); user_pref("dom.disable_open_during_load", false); and the extension: https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Run with the testcase filename on the command line (You might have to repeat step 2 a few times.) ###!!! ASSERTION: Inner window supports nsWrapperCache, fix WrapObject!: 'IsOuterWindow()', file dom/base/nsGlobalWindow.h, line 354 (This assertion was added in bug 693301.) ###!!! ASSERTION: EnsureInnerWindow called on inner window: 'IsOuterWindow()', file dom/base/nsPIDOMWindow.h, line 331
Reporter | ||
Comment 1•10 years ago
|
||
Assignee | ||
Comment 2•10 years ago
|
||
We're firing the DOMContentLoaded event for "missing-1" (actually for the error page for that) but we've already collected the inner window for it.
Assignee | ||
Comment 3•10 years ago
|
||
The exact same thing happens with XPConnect reflectors for Window, but SetParentToWindow returns an error if the nsGlobalWindow doesn't have a wrapper anymore.
Assignee | ||
Comment 4•10 years ago
|
||
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Comment 5•10 years ago
|
||
Please adjust the rating as appropriate. I assume this is a regression from Window WebIDL.
Blocks: 789261
status-firefox31:
--- → unaffected
status-firefox32:
--- → affected
Keywords: sec-high
Assignee | ||
Comment 6•10 years ago
|
||
Attachment #8432401 -
Attachment is obsolete: true
Attachment #8435783 -
Flags: review?(bzbarsky)
![]() |
||
Comment 7•10 years ago
|
||
Comment on attachment 8435783 [details] [diff] [review] v1 r=me
Attachment #8435783 -
Flags: review?(bzbarsky) → review+
Assignee | ||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4b7010671a27
Comment 9•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4b7010671a27
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-b2g-v1.3:
--- → unaffected
status-b2g-v1.3T:
--- → unaffected
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → affected
status-b2g-v2.1:
--- → fixed
status-firefox33:
--- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Assignee | ||
Comment 10•10 years ago
|
||
Comment on attachment 8435783 [details] [diff] [review] v1 Ugh, this missed the branching. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 789261 User impact if declined: probably crashes/security issues Testing completed (on m-c, etc.): landed on m-c Risk to taking this patch (and alternatives if risky): low-risk, just makes us deal with a situation that we thought couldn't happen String or IDL/UUID changes made by this patch: none
Attachment #8435783 -
Flags: approval-mozilla-aurora?
Comment 11•10 years ago
|
||
Comment on attachment 8435783 [details] [diff] [review] v1 Aurora approval granted.
Attachment #8435783 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Assignee | ||
Comment 12•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/9a12cabec2fe
Updated•10 years ago
|
Updated•10 years ago
|
status-firefox-esr24:
--- → unaffected
Comment 13•10 years ago
|
||
Confirmed assert/crash on Fx32, 2014-05-30. Verified fixed on Fx32, 2014-07-14. Verified fixed on Fx33, 2014-07-07.
Updated•10 years ago
|
Group: core-security
Keywords: regression
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•