Closed Bug 622480 Opened 11 years ago Closed 11 years ago

"ASSERTION: Wrong scope, this is really bad!"

Categories

(Core :: DOM: Navigation, defect)

x86
macOS
defect
Not set
normal

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: jruderman, Assigned: smaug)

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical?][softblocker])

Attachments

(3 files)

Attached file testcase
###!!! ASSERTION: SHEntry already contains viewer: '!aViewer || !mContentViewer', file docshell/shistory/src/nsSHEntry.cpp, line 240

###!!! ASSERTION: Wrong scope, this is really bad!: 'JS_GetGlobalForObject(cx, obj) == newScope', file content/base/src/nsDocument.cpp, line 3796

The first assertion also happens in bug 622319, but the second assertion doesn't.
Attached file stack traces
That first assert looks bad.
Whiteboard: [sg:critical?]
I'll look at this.
Assignee: nobody → Olli.Pettay
(though I don't know why this is sg:crit)
(In reply to comment #4)
> (though I don't know why this is sg:crit)

This can cause an XPCWrappedNative to be in an XPCWrappedNativeScope that it doesn't expect, causing possible free'd memory writes after the wrapped native gets collected (see also bug 555109).
blocking2.0: --- → betaN+
Happens also on 1.9.2
Whiteboard: [sg:critical?] → [sg:critical?], softblocker
Whiteboard: [sg:critical?], softblocker → [sg:critical?][softblocker]
So this has something to do with javascript urls and artificial about:blank
documents which are created only for javascript urls... still debugging...
Attached patch patchSplinter Review
(Don't know who else could review this)

So, this is the simplest fix I could think of. This was for some reason very 
tricky to debug. The problem is that first a content viewer is created for
javascript:. Then when reloading, because of about:blank creation, we end up 
calling contentviewer->Close(mOSHE), although we're just reloading mOSHE.
A new content viewer is then created, which will then have the same
nsSHEntry and the content viewer will be re-cached when a third content viewer
is loaded to docshell.
Attachment #504755 - Flags: review?(bzbarsky)
Comment on attachment 504755 [details] [diff] [review]
patch

Looks good.
Attachment #504755 - Flags: review?(bzbarsky) → review+
http://hg.mozilla.org/mozilla-central/rev/62157abe57bf
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Group: core-security
You need to log in before you can comment on or make changes to this bug.