Closed
Bug 605672
Opened 14 years ago
Closed 14 years ago
"ASSERTION: Incorrect scope passed"
Categories
(Core :: XPConnect, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: peterv)
References
Details
(4 keywords, Whiteboard: [sg:critical?])
Attachments
(8 files)
505 bytes,
image/svg+xml
|
Details | |
3.55 KB,
text/plain
|
Details | |
703 bytes,
text/html
|
Details | |
11.78 KB,
text/plain
|
Details | |
8.36 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
11.36 KB,
patch
|
jst
:
review+
|
Details | Diff | Splinter Review |
23.39 KB,
patch
|
christian
:
approval1.9.1.17+
|
Details | Diff | Splinter Review |
22.71 KB,
patch
|
christian
:
approval1.9.2.14+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: Incorrect scope passed: 'wrapper->GetScope() == aOldScope', file js/src/xpconnect/src/xpcwrappednative.cpp, line 1506
Reporter | ||
Comment 1•14 years ago
|
||
Reporter | ||
Updated•14 years ago
|
blocking2.0: --- → ?
Comment 2•14 years ago
|
||
http://mxr.mozilla.org/mozilla-central/source/content/base/src/nsDOMDocumentType.cpp#271 271 nsCOMPtr<nsIDocument> oldOwnerDoc = 272 do_QueryInterface(nsContentUtils::GetDocumentFromContext()); It seems that we use an unrelated document as oldOwnerDoc. I'll attach a crash testcase.
Comment 3•14 years ago
|
||
Trunk, 1.9.2 and 1.9.1 are affected.
Reporter | ||
Updated•14 years ago
|
Whiteboard: [sg:critical?]
Reporter | ||
Comment 4•14 years ago
|
||
Comment 5•14 years ago
|
||
Peter, you've dealt with bugs like this before :)
Assignee: nobody → peterv
blocking2.0: ? → final+
Reporter | ||
Comment 6•14 years ago
|
||
I'm seeing cases where this assertion is followed by additional assertions, which is distracting and scary.
Assignee | ||
Comment 7•14 years ago
|
||
Comment 8•14 years ago
|
||
Peter, is this patch ready for review?
Assignee | ||
Updated•14 years ago
|
Attachment #490219 -
Flags: review?(jst)
Comment 9•14 years ago
|
||
Comment on attachment 490219 [details] [diff] [review] v1 r=jst
Attachment #490219 -
Flags: review?(jst) → review+
Comment 10•14 years ago
|
||
Landed: http://hg.mozilla.org/mozilla-central/rev/78df45be19d1
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Comment 11•14 years ago
|
||
This ended up actually causing test failures, except the test failures were hidden because of cross compartment adoptNode throwing. Once the fix for bug 601803 landed the assertions that this patch introduced showed up. Now I'm not 100% sure that backing this out instead of backing out the fix for bug 601803 was the right thing to do, but given that bug 601803 is a beta blocker, and this is not, I decided to back this out instead. And bug 615763 was filed after this landed as well, which seems to suggest that something really wasn't right with this change.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Comment 12•14 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/e243ef4f1e0e (backout) http://hg.mozilla.org/mozilla-central/rev/0ff6d5984287 (merge)
Comment 13•14 years ago
|
||
The failures caused by the combination of this and the adoptNode fix was these: REFTEST TEST-UNEXPECTED-FAIL | file:///home/cltbld/talos-slave/mozilla-central_fedora-debug_test-crashtest/build/reftest/tests/editor/libeditor/html/crashtests/382778-1.html | assertion count 1 is more than expected 0 assertions REFTEST TEST-UNEXPECTED-FAIL | file:///home/cltbld/talos-slave/mozilla-central_fedora-debug_test-crashtest/build/reftest/tests/editor/libeditor/base/crashtests/382527-1.html | assertion count 1 is more than expected 0 assertions REFTEST TEST-UNEXPECTED-FAIL | file:///home/cltbld/talos-slave/mozilla-central_fedora-debug_test-crashtest/build/reftest/tests/js/src/xpconnect/crashtests/346512-1.xhtml | assertion count 1 is more than expected 0 assertions
Assignee | ||
Comment 14•14 years ago
|
||
This should fix the orange. The problem only happened when adopting nodes with children. We were using the toplevel node's wrapper as the scope, but because adopting traverses the tree downwards that wrapper was the first to be reparented and moved to the new scope. Using it as the scope for all the descendants was wrong. I ended up removing the aOldScope argument altogether, we should just use the existing wrapper of every node when reparenting it.
Attachment #494984 -
Flags: review?(jst)
Comment 15•14 years ago
|
||
Comment on attachment 494984 [details] [diff] [review] v1 followup Thanks peterv! r=jst
Attachment #494984 -
Flags: review?(jst) → review+
Comment 16•14 years ago
|
||
Re-landed v1 and also landed the followup fix. http://hg.mozilla.org/mozilla-central/rev/3b2d178f7299 http://hg.mozilla.org/mozilla-central/rev/e52f4987ec94
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
I backed this out to investigate whether it caused bug 617048: http://hg.mozilla.org/mozilla-central/pushloghtml?changeset=c7b784648b02
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
So based on the backout, either this or bug 588873 caused bug 617048. (I think my money is on bug 588873.) I think it's ok to reland this after beta8 ships, but make sure it doesn't reland the same day as bug 588873.
Assignee | ||
Comment 19•14 years ago
|
||
I relanded this, I'll be monitoring crash-stats. http://hg.mozilla.org/mozilla-central/rev/83cb5ea3fe30 http://hg.mozilla.org/mozilla-central/rev/ad8da8012e3a
Status: REOPENED → RESOLVED
Closed: 14 years ago → 14 years ago
Resolution: --- → FIXED
I think this needs to be backported, it's most likely what is causing cross_fuzz bugs on 3.6 and 3.5.
Given that bug 622456 is a dupe I think this should block the next stable releases.
blocking1.9.1: --- → ?
blocking1.9.2: --- → ?
Assignee | ||
Comment 23•14 years ago
|
||
The patches need small changes, I'm working on merging.
Comment 24•14 years ago
|
||
We would like to get these patches into the branches today, as the fuzzer is public (and we are now past code freeze). Is that possible? This should take priority over FF4 work FWIW.
Assignee | ||
Comment 25•14 years ago
|
||
I'm trying to get them done. I have patches that build but am currently running mochitests since the patches are a bit different and I want to make sure I didn't break anything while merging.
Attachment #505151 -
Flags: approval1.9.1.17? → approval1.9.1.17+
Attachment #505231 -
Flags: approval1.9.2.14? → approval1.9.2.14+
Comment 28•14 years ago
|
||
Landed on branches: http://hg.mozilla.org/releases/mozilla-1.9.1/rev/8465508094bc http://hg.mozilla.org/releases/mozilla-1.9.2/rev/d7c24aa07c30
status1.9.1:
--- → .17-fixed
status1.9.2:
--- → .14-fixed
Comment 29•13 years ago
|
||
Verified crash in 1.9.1.16 with crashtest and fix in 1.9.1.17 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.17) Gecko/20110121 Firefox/3.5.17 ( .NET CLR 3.5.30729). Verified crash in 1.9.2.13 with crashtest and fix in 1.9.2.14 with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.14) Gecko/20110121 Firefox/3.6.14 ( .NET CLR 3.5.30729).
Keywords: verified1.9.1,
verified1.9.2
Updated•13 years ago
|
Group: core-security
Reporter | ||
Comment 30•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/90c1ab45b6c5
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•