Closed Bug 1018085 Opened 10 years ago Closed 10 years ago

"ASSERTION: Inner window supports nsWrapperCache, fix WrapObject!"

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla33
Tracking Flags:
Tracking Status
firefox31 --- unaffected
firefox32 --- verified
firefox33 --- verified
firefox-esr24 --- unaffected
b2g-v1.3 --- unaffected
b2g-v1.3T --- unaffected
b2g-v1.4 --- unaffected
b2g-v2.0 --- fixed
b2g-v2.1 --- fixed

People

(Reporter: jruderman, Assigned: peterv)

References

Details

(4 keywords)

Attachments

(3 files, 1 obsolete file)

j.html
(deleted), text/html
Details
stack for the first assertion
(deleted), text/plain
Details
v1
(deleted), patch
bzbarsky
: review+
lmandel
: approval-mozilla-aurora+
Details | Diff | Splinter Review
Attached file j.html (deleted) — 
1. Create a profile
       with the prefs:
           user_pref("dom.min_background_timeout_value", 4);
           user_pref("dom.disable_open_during_load", false);
       and the extension:
           https://www.squarefree.com/extensions/domFuzzLite3.xpi

2. Run with the testcase filename on the command line
       (You might have to repeat step 2 a few times.)

###!!! ASSERTION: Inner window supports nsWrapperCache, fix WrapObject!: 'IsOuterWindow()', file dom/base/nsGlobalWindow.h, line 354
   (This assertion was added in bug 693301.)

###!!! ASSERTION: EnsureInnerWindow called on inner window: 'IsOuterWindow()', file dom/base/nsPIDOMWindow.h, line 331
Attached file stack for the first assertion (deleted) — 

    
    

    
  
We're firing the DOMContentLoaded event for "missing-1" (actually for the error page for that) but we've already collected the inner window for it.

    
    

    
  
The exact same thing happens with XPConnect reflectors for Window, but SetParentToWindow returns an error if the nsGlobalWindow doesn't have a wrapper anymore.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (obsolete) (deleted)
        — Splinter Review
      

    


  
Assignee: nobody → peterv
Status: NEW → ASSIGNED

    
    

    
  
Please adjust the rating as appropriate.  I assume this is a regression from Window WebIDL.
Blocks: 789261

          status-firefox31:
          --- → unaffected

          status-firefox32:
          --- → affected
Keywords: sec-high

    
    

    
  

      
      
      
      

        Attached patch
          
          
        v1 (deleted)
        — Splinter Review
      

    


  

        Attachment #8432401 -
        Attachment is obsolete: true

        Attachment #8435783 -
        Flags: review?(bzbarsky)

    
    

    
  
Comment on attachment 8435783 [details] [diff] [review]
v1

r=me

        Attachment #8435783 -
        Flags: review?(bzbarsky) → review+
Blocks: 1019553

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/4b7010671a27
Status: ASSIGNED → RESOLVED
Closed: 10 years ago

          status-b2g-v1.3:
          --- → unaffected

          status-b2g-v1.3T:
          --- → unaffected

          status-b2g-v1.4:
          --- → unaffected

          status-b2g-v2.0:
          --- → affected

          status-b2g-v2.1:
          --- → fixed

          status-firefox33:
          --- → fixed
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla33

    
    

    
  
Comment on attachment 8435783 [details] [diff] [review]
v1

Ugh, this missed the branching.

[Approval Request Comment]
Bug caused by (feature/regressing bug #): bug 789261
User impact if declined: probably crashes/security issues
Testing completed (on m-c, etc.): landed on m-c
Risk to taking this patch (and alternatives if risky): low-risk, just makes us deal with a situation that we thought couldn't happen
String or IDL/UUID changes made by this patch: none

        Attachment #8435783 -
        Flags: approval-mozilla-aurora?

    
    

    
  
Comment on attachment 8435783 [details] [diff] [review]
v1

Aurora approval granted.

        Attachment #8435783 -
        Flags: approval-mozilla-aurora? → approval-mozilla-aurora+

    
    

    
  
Confirmed assert/crash on Fx32, 2014-05-30.
Verified fixed on Fx32, 2014-07-14.
Verified fixed on Fx33, 2014-07-07.
Status: RESOLVED → VERIFIED

          status-firefox32:
          fixedverified

          status-firefox33:
          fixedverified
Group: core-security
Keywords: regression
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: