Assertion failure: !aGCThing, at js/xpconnect/src/XPCJSRuntime.cpp:319

This looks like something mccr8 would know about.

Yeah, I looked at the stacks a bit. It looks like the problem is that nsDOMMessageEvent::InitMessageEvent calls NS_DROP_JS_OBJECTS without clearing the wrapper cache first. I think this is a regression from bug 822399, which made nsDOMEvent wrapper cached.

Feel free to reassign to me, Olli.

nah, my bug.

Ok, I have the patch and comment for it: "Good that I added the assertion. So, this should work. If we already have preserved wrapper or object hold, calling NS_HOLD_JS_OBJECTS doesn't really do anything (because the event is already in JSHolders). If we don't have preserved wrapper nor object hold, the event ends up to JSholders. Then we may unlink mData, or if the last reference to the event is released without cycle collector, event's dtor drops the reference." But bugzilla is broken atm. Doesn't accept attachments.

Comment on attachment 726124 [details] [diff] [review] patch I can't recall whether this thunk-only bug requires an approval. [Security approval request comment] How easily could an exploit be constructed based on the patch? Crash is quite easy to find. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? Comment will be about proper tracing Which older supported branches are affected by this flaw? None. This is a regression from bug 822399 How likely is this patch to cause regressions; how much testing does it need? Not likely to cause regressions.

Comment on attachment 726124 [details] [diff] [review] patch Trunk-only does not need sec-approval.

https://hg.mozilla.org/mozilla-central/rev/ee2e53392df1 Can we land the test?