If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

ASSERTION: Unexpected JSContext popped!, ASSERTION: ThreadJSContextStack underflow due to missing early return

RESOLVED FIXED in mozilla1.9alpha1

Status

()

Core
Layout: Form Controls
P1
normal
RESOLVED FIXED
12 years ago
12 years ago

People

(Reporter: bc, Assigned: bz)

Tracking

({fixed1.8.0.1, fixed1.8.1})

Trunk
mozilla1.9alpha1
x86
All
fixed1.8.0.1, fixed1.8.1
Points:
---
Bug Flags:
blocking1.8.1 +
blocking1.8.0.1 +

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

12 years ago
From bug 285755 comment 8:

the ensuing assertions are due to a bug in the patch for bug 287446.  An early return that should be there got lost.  :(

We should probably file a separate bug on that and fix it on the 1.8
branches... :(
(Reporter)

Updated

12 years ago
Flags: blocking1.8.1?
Flags: blocking1.8.0.1?
Blocks: 287446
No longer depends on: 287446
What negative effects come from this? The testcase URL is WFM for bsmedberg. Need a baked patch to consider for 1.8.0.1
Flags: blocking1.8.0.1? → blocking1.8.0.1-
Created attachment 207771 [details] [diff] [review]
Patch

This is dead-simple.  Should have been in the original checkin.  If we ever hit this code without this patch, we'll probably end up with a security hole (since the right jscontext won't be on the stack).

There's zero risk here; I really think we should take this for 1.8.0.1.
Attachment #207771 - Flags: superreview?(jst)
Attachment #207771 - Flags: review?(jst)
Attachment #207771 - Flags: approval1.8.1?
Attachment #207771 - Flags: approval1.8.0.1?
Renominating for 1.8.0.1.  I really think we should take this on branch...  possibly even if it means an extra day in the cycle to give this more bake time if drivers want more bake time.  See comment 2 for details.
Flags: blocking1.8.0.1- → blocking1.8.0.1?
Comment on attachment 207771 [details] [diff] [review]
Patch

sr=me, jst would agree.

/be
Attachment #207771 - Flags: superreview?(jst) → superreview+
Attachment #207771 - Flags: review?(jst) → review+
<brendan> bz: you didn't answer dveditz in the bug about how people hit this
> brendan: it's an error condition
> brendan: they generally don't
<brendan> someone did
<brendan> bad luck?
> brendan: that was because of another bug that broke QI
> brendan: but frankly, I don't think we want people to be exploitable because some dumb extension breaks editor
Fixed on trunk.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Priority: -- → P1
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9alpha
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.1?
Flags: blocking1.8.0.1+
Comment on attachment 207771 [details] [diff] [review]
Patch

a=dveditz for drivers
Attachment #207771 - Flags: approval1.8.1?
Attachment #207771 - Flags: approval1.8.1+
Attachment #207771 - Flags: approval1.8.0.1?
Attachment #207771 - Flags: approval1.8.0.1+
*** Committing to MOZILLA_1_8_BRANCH... 
/cvsroot/mozilla/layout/forms/nsTextControlFrame.cpp,v  <--  nsTextControlFrame.cpp
new revision: 3.197.10.4; previous revision: 3.197.10.3

*** Committing layout/forms/nsTextControlFrame.cpp on MOZILLA_1_8_0_BRANCH... 
/cvsroot/mozilla/layout/forms/nsTextControlFrame.cpp,v  <--  nsTextControlFrame.cpp
new revision: 3.197.10.3.2.1; previous revision: 3.197.10.3
Keywords: fixed1.8.0.1, fixed1.8.1
You need to log in before you can comment on or make changes to this bug.