Closed Bug 323978 Opened 19 years ago Closed 17 years ago

"ASSERTION: XPConnect is being called on a scope without a 'Components' property!"

Categories

(Core :: XPConnect, defect, P1)

Product:
Core
Component:
XPConnect
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 400349
Milestone:
mozilla1.9alpha1

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: assertion, testcase, Whiteboard: [sg:dupe 400349])

Attachments

(3 files, 2 obsolete files)

stack trace for a crash
2.01 KB, text/plain
Details
incomplete patch
8.06 KB, patch
Details | Diff | Splinter Review
reduced testcase, version 3
362 bytes, text/html
Details 
###!!! ASSERTION: XPConnect is being called on a scope without a 'Components' property!

This is pretty much always bad. It usually means that native code is
making a callback to an interface implemented in JavaScript, but the
document where the JS object was created has already been cleared and the
global properties of that document's window are *gone*. Generally this
indicates a problem that should be addressed in the design and use of the
callback code.

: 'Error', file mozilla/js/src/xpconnect/src/xpcwrappednativescope.cpp, line 589
I think this is a security hole because in one of the crash stacks, |this| was 0xdddddddd.
Whiteboard: [sg:critical]
I think the assertion mentioned in comment 3 could be bug 317497, which depends on bug 317240.

    
    

    
  
is this related to bug 321299?

    
  
Flags: blocking1.9a1?
Flags: blocking1.8.1?
Flags: blocking1.8.0.3?

    
  
Summary: ASSERTION: XPConnect is being called on a scope without a 'Components' property! → "ASSERTION: XPConnect is being called on a scope without a 'Components' property!" and crash when touching things in removed iframes

    
  
Blocks: 321299

    
    

    
  
mrbkap, will you be able to fix this in the near future?  I remember you saying that fixing this would make some leak bugs (such as bug 241518) worse; is that still an issue on the trunk now that bug 241518 is fixed?

    
    

    
  
-> mrbkap
Assignee: dbradley → mrbkap

    
    

    
  
Blocking 1.8.0.3 in hopes of a fix
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.3?
Flags: blocking1.8.0.3+

    
    

    
  
I have a potential plan to fix the crash.
Priority: -- → P1
Target Milestone: --- → mozilla1.9alpha

    
    

    
  
Update: this turned out to be much more complicated to debug than I originally though. I'm still trying to find the cause of the crash.

    
    

    
  
The crash seen in this bug is fixed by the patch attached to bug 321299 (includes mrbkap's above patch). Let's leave this bug open to track the assertion issue.

    
    

    
  
This bug shouldn't block the branches anymore, bug 321299 took care of the crash and this is now about the assertion.

    
  
No longer blocks: 321299
Depends on: 321299

    
    

    
  
Is this still [sg:critical]?

    
    

    
  
Removing "and crash when touching things in removed iframes" end of the summary per comment 14 -- does the summary still describe the right assertion?

Is this still a security problem, or does it remain private because of the testcase demonstrates 321299 in unfixed builds?
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.4-
Flags: blocking1.8.0.4+
Keywords: crash
Summary: "ASSERTION: XPConnect is being called on a scope without a 'Components' property!" and crash when touching things in removed iframes → "ASSERTION: XPConnect is being called on a scope without a 'Components' property!"
Whiteboard: [sg:critical]

    
    

    
  
See also bug 335896, "GC destroys live frame / assertion 'Unexpected current doc in root content' / crash [@ nsContentIterator::NextNode]".  That bug involves netsted iframes.  I don't know how related it is to this bug.

    
    

    
  
minusing for 1.8.0 branch per comment 15
Flags: blocking1.8.1?
Flags: blocking1.8.1+
Flags: blocking1.8.0.5?
Flags: blocking1.8.0.5-

    
  
Flags: blocking1.8.1? → blocking1.8.1-

    
  
Blocks: 344881

    
    

    
  

      
      
      
      

        Attached file
          
        slightly better reduced testcase (obsolete)
        — 
      

    


  
Made variables local and changed "0" to "false" in addEventListener call to make it clearer what the testcase is doing.

        Attachment #208939 -
        Attachment is obsolete: true

    
    

    
  


  
As suggested by timeless, remove the load event listener when it fires, so it's clear that it's only triggered once.

        Attachment #231567 -
        Attachment is obsolete: true
Whiteboard: [sg:nse] stirdom testcases
Blocks: 324025

    
  
Blocks: 356787

    
    

    
  
The assertion still fires on trunk with the most recent testcase.

    
  
Flags: blocking1.9?

    
    

    
  
I'm going to file a new bug, copy the relevant attachments and comments there, and mark this one as a dup.

(The alternative would be to use Bugzilla's new "private comments" feature, but hiding comment 0 and the comment with the patch would make the bug confusing.)

    
  
No longer blocks: stirdom, 324025, 344881, 356787
Status: NEW → RESOLVED
Closed: 17 years ago
No longer depends on: 321299
Flags: blocking1.9a1?
Flags: blocking1.9?
Resolution: --- → DUPLICATE
Whiteboard: [sg:nse] stirdom testcases → [sg:dupe 400349] mentions stirdom
Whiteboard: [sg:dupe 400349] mentions stirdom → [sg:dupe 400349]
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: