Closed
Bug 323978
Opened 19 years ago
Closed 17 years ago
"ASSERTION: XPConnect is being called on a scope without a 'Components' property!"
Categories
(Core :: XPConnect, defect, P1)
Core
XPConnect
Tracking
()
RESOLVED
DUPLICATE
of bug 400349
mozilla1.9alpha1
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: assertion, testcase, Whiteboard: [sg:dupe 400349])
Attachments
(3 files, 2 obsolete files)
(deleted),
text/plain
|
Details | |
19 years ago
(deleted),
patch
|
Details | Diff | Splinter Review | |
(deleted),
text/html
|
Details |
###!!! ASSERTION: XPConnect is being called on a scope without a 'Components' property!
This is pretty much always bad. It usually means that native code is
making a callback to an interface implemented in JavaScript, but the
document where the JS object was created has already been cleared and the
global properties of that document's window are *gone*. Generally this
indicates a problem that should be addressed in the design and use of the
callback code.
: 'Error', file mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 589
Reporter | ||
Comment 1•19 years ago
|
||
I think this is a security hole because in one of the crash stacks, |this| was 0xdddddddd.
Whiteboard: [sg:critical]
Comment 2•19 years ago
|
||
Reporter | ||
Comment 3•19 years ago
|
||
is this related to bug 321299?
Reporter | ||
Updated•19 years ago
|
Flags: blocking1.9a1?
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?
Reporter | ||
Updated•19 years ago
|
Summary: ASSERTION: XPConnect is being called on a scope without a 'Components' property! → "ASSERTION: XPConnect is being called on a scope without a 'Components' property!" and crash when touching things in removed iframes
Reporter | ||
Comment 5•19 years ago
|
||
mrbkap, will you be able to fix this in the near future? I remember you saying that fixing this would make some leak bugs (such as bug 241518) worse; is that still an issue on the trunk now that bug 241518 is fixed?
Comment 7•19 years ago
|
||
Blocking 1.8.0.3 in hopes of a fix
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+
Assignee | ||
Comment 8•19 years ago
|
||
I have a potential plan to fix the crash.
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha
Assignee | ||
Comment 9•19 years ago
|
||
Update: this turned out to be much more complicated to debug than I originally though. I'm still trying to find the cause of the crash.
Comment 10•19 years ago
|
||
The crash seen in this bug is fixed by the patch attached to bug 321299 (includes mrbkap's above patch). Let's leave this bug open to track the assertion issue.
Assignee | ||
Comment 11•19 years ago
|
||
This bug shouldn't block the branches anymore, bug 321299 took care of the crash and this is now about the assertion.
Reporter | ||
Updated•19 years ago
|
Reporter | ||
Comment 12•19 years ago
|
||
Is this still [sg:critical]?
Comment 13•19 years ago
|
||
Removing "and crash when touching things in removed iframes" end of the summary per comment 14 -- does the summary still describe the right assertion?
Is this still a security problem, or does it remain private because of the testcase demonstrates 321299 in unfixed builds?
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.4-
Flags: blocking1.8.0.4+
Keywords: crash
Summary: "ASSERTION: XPConnect is being called on a scope without a 'Components' property!" and crash when touching things in removed iframes → "ASSERTION: XPConnect is being called on a scope without a 'Components' property!"
Whiteboard: [sg:critical]
Reporter | ||
Comment 14•19 years ago
|
||
See also bug 335896, "GC destroys live frame / assertion 'Unexpected current doc in root content' / crash [@ nsContentIterator::NextNode]". That bug involves netsted iframes. I don't know how related it is to this bug.
Comment 15•19 years ago
|
||
minusing for 1.8.0 branch per comment 15
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5-
Updated•19 years ago
|
Flags: blocking1.8.1? → blocking1.8.1-
Reporter | ||
Comment 16•18 years ago
|
||
Made variables local and changed "0" to "false" in addEventListener call to make it clearer what the testcase is doing.
Attachment #208939 -
Attachment is obsolete: true
Reporter | ||
Comment 17•18 years ago
|
||
As suggested by timeless, remove the load event listener when it fires, so it's clear that it's only triggered once.
Attachment #231567 -
Attachment is obsolete: true
Updated•18 years ago
|
Whiteboard: [sg:nse] stirdom testcases
Reporter | ||
Comment 18•18 years ago
|
||
The assertion still fires on trunk with the most recent testcase.
Reporter | ||
Updated•17 years ago
|
Flags: blocking1.9?
Reporter | ||
Comment 19•17 years ago
|
||
I'm going to file a new bug, copy the relevant attachments and comments there, and mark this one as a dup.
(The alternative would be to use Bugzilla's new "private comments" feature, but hiding comment 0 and the comment with the patch would make the bug confusing.)
Reporter | ||
Updated•17 years ago
|
Updated•16 years ago
|
Whiteboard: [sg:dupe 400349] mentions stirdom → [sg:dupe 400349]
Updated•16 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•