Closed Bug 851392 Opened 11 years ago Closed 11 years ago

"ASSERTION: Should be inner window" with mutation event recursion

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 852436
Tracking Flags:
Tracking Status
firefox20 --- unaffected
firefox21 --- unaffected
firefox22 --- affected
firefox-esr17 --- unaffected
b2g18 --- unaffected

People

(Reporter: jruderman, Assigned: emk)

References

Details

(4 keywords, Whiteboard: "'IsExceptionPending' checks are a sign of trouble" --mrbkap)

Attachments

(2 files)

testcase
(deleted), text/html
Details
stacks
(deleted), text/plain
Details
Attached file testcase (deleted) — 
###!!! ASSERTION: Should be inner window.: 'win->IsInnerWindow()', file dom/base/nsDOMClassInfo.cpp, line 3599

Assertion failure: win->IsInnerWindow(), at dom/base/nsDOMClassInfo.cpp:1478
Attached file stacks (deleted) — 

    
    

    
  
Bisection points at http://hg.mozilla.org/mozilla-central/rev/5d58b6d250d5 but I bet that just perturbed the point at which the JS_CHECK_RECURSION fails.

    
    

    
  
Peter: is this assertion an indication of a security problem (usually inner/outer window confusion is) and if so how bad?
Flags: needinfo?(peterv)

    
    

    
  
I'm not sure what happens next, we probably try to wrap the inner in an XPCWrappedNative. But given that we failed to wrap already that might fail too?

Could this be a regression from bug 848339? It seem to me that if nsGlobalWindow::WrapObject fails (at http://mxr.mozilla.org/mozilla-central/source/js/xpconnect/src/XPCConvert.cpp#841) but doesn't set an exception then we won't return early like we used to, but instead try to construct a slim wrapper.
Flags: needinfo?(peterv)

    
    

    
  
This is almost certainly a regression from bug 848339. Reading through the code, I don't understand why it's OK for WrapObject to return null... It seems like the parameter wasn't as vestigial as previously thought. In general "IsExceptionPending" checks are a sign of trouble.
Assignee: nobody → VYV03354
Blocks: 848339
Keywords: regression
Whiteboard: "'IsExceptionPending' checks are a sign of trouble" --mrbkap

    
    

    
  
The patch in bug 852436 fixes this testcase as well.
Depends on: 852436
Keywords: sec-high

    
    

    
  
(In reply to Blake Kaplan (:mrbkap) from comment #6)
> The patch in bug 852436 fixes this testcase as well.

Is this fixed then? 

Matt, could you verify this is fixed?
Flags: needinfo?(mwobensmith)

    
    

    
  
I see no such assertion in today's nightly m-c. 

Should we close it, or mark it as a dupe of bug 852436?
Flags: needinfo?(mwobensmith)

    
    

    
  
Thanks, Matt!
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Group: core-security
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: