If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

"Assertion failure: !cx->throwing" with QI getter that throws

RESOLVED WORKSFORME

Status

()

Core
XPConnect
--
critical
RESOLVED WORKSFORME
8 years ago
7 years ago

People

(Reporter: Jesse Ruderman, Unassigned)

Tracking

(Blocks: 2 bugs, {assertion, testcase})

Trunk
x86
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(2 attachments)

(Reporter)

Description

8 years ago
Created attachment 388095 [details]
testcase (crashes debug Firefox when loaded)

Assertion failure: !cx->throwing, at /Users/jruderman/central/js/src/jsinterp.cpp:6702

Brendan once fixed another bug involving this assertion, in bug 455973.  That bug also involved a throwing getter, but it involved leaving trace rather than XPConnect.

It seems sketchy that a page-defined QI is called as part of nsContentUtils::CanCallerAccess!  In a non-debug build, I get:

Error: uncaught exception: [Exception... "Security error"  code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)"  location: "file:///Users/jruderman/fuzzing/lithium/a.html Line: 2"]
(Reporter)

Comment 1

8 years ago
Created attachment 388096 [details]
stack trace for the assertion
(Reporter)

Updated

8 years ago
Blocks: 503700
(Reporter)

Comment 2

7 years ago
WFM.

Probably fixed by bug 503926, in which case chrome JS might still be able to trigger the assertion failure. Do we care?
(Reporter)

Updated

7 years ago
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.