Created attachment 8431438 [details] j.html 1. Create a profile with the prefs: user_pref("dom.min_background_timeout_value", 4); user_pref("dom.disable_open_during_load", false); and the extension: https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Run with the testcase filename on the command line (You might have to repeat step 2 a few times.) ###!!! ASSERTION: Inner window supports nsWrapperCache, fix WrapObject!: 'IsOuterWindow()', file dom/base/nsGlobalWindow.h, line 354 (This assertion was added in bug 693301.) ###!!! ASSERTION: EnsureInnerWindow called on inner window: 'IsOuterWindow()', file dom/base/nsPIDOMWindow.h, line 331
We're firing the DOMContentLoaded event for "missing-1" (actually for the error page for that) but we've already collected the inner window for it.
The exact same thing happens with XPConnect reflectors for Window, but SetParentToWindow returns an error if the nsGlobalWindow doesn't have a wrapper anymore.
Created attachment 8432401 [details] [diff] [review] v1
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Please adjust the rating as appropriate. I assume this is a regression from Window WebIDL.
status-firefox31: --- → unaffected
status-firefox32: --- → affected
Created attachment 8435783 [details] [diff] [review] v1
Comment on attachment 8435783 [details] [diff] [review] v1 r=me
Attachment #8435783 - Flags: review?(bzbarsky) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-b2g-v1.3: --- → unaffected
status-b2g-v1.3T: --- → unaffected
status-b2g-v1.4: --- → unaffected
status-b2g-v2.0: --- → affected
status-b2g-v2.1: --- → fixed
status-firefox33: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
Comment on attachment 8435783 [details] [diff] [review] v1 Ugh, this missed the branching. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 789261 User impact if declined: probably crashes/security issues Testing completed (on m-c, etc.): landed on m-c Risk to taking this patch (and alternatives if risky): low-risk, just makes us deal with a situation that we thought couldn't happen String or IDL/UUID changes made by this patch: none
Attachment #8435783 - Flags: approval-mozilla-aurora?
Comment on attachment 8435783 [details] [diff] [review] v1 Aurora approval granted.
Attachment #8435783 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
status-firefox32: affected → fixed
Confirmed assert/crash on Fx32, 2014-05-30. Verified fixed on Fx32, 2014-07-14. Verified fixed on Fx33, 2014-07-07.
Status: RESOLVED → VERIFIED
status-firefox32: fixed → verified
status-firefox33: fixed → verified
You need to log in before you can comment on or make changes to this bug.