Created attachment 388095 [details] testcase (crashes debug Firefox when loaded) Assertion failure: !cx->throwing, at /Users/jruderman/central/js/src/jsinterp.cpp:6702 Brendan once fixed another bug involving this assertion, in bug 455973. That bug also involved a throwing getter, but it involved leaving trace rather than XPConnect. It seems sketchy that a page-defined QI is called as part of nsContentUtils::CanCallerAccess! In a non-debug build, I get: Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:///Users/jruderman/fuzzing/lithium/a.html Line: 2"]
WFM. Probably fixed by bug 503926, in which case chrome JS might still be able to trigger the assertion failure. Do we care?