Closed Bug 622480 Opened 11 years ago Closed 11 years ago
"ASSERTION: Wrong scope, this is really bad!"
###!!! ASSERTION: SHEntry already contains viewer: '!aViewer || !mContentViewer', file docshell/shistory/src/nsSHEntry.cpp, line 240 ###!!! ASSERTION: Wrong scope, this is really bad!: 'JS_GetGlobalForObject(cx, obj) == newScope', file content/base/src/nsDocument.cpp, line 3796 The first assertion also happens in bug 622319, but the second assertion doesn't.
That first assert looks bad.
I'll look at this.
Assignee: nobody → Olli.Pettay
(though I don't know why this is sg:crit)
(In reply to comment #4) > (though I don't know why this is sg:crit) This can cause an XPCWrappedNative to be in an XPCWrappedNativeScope that it doesn't expect, causing possible free'd memory writes after the wrapped native gets collected (see also bug 555109).
Happens also on 1.9.2
Whiteboard: [sg:critical?] → [sg:critical?], softblocker
Whiteboard: [sg:critical?], softblocker → [sg:critical?][softblocker]
Attachment #504755 - Flags: review?(bzbarsky)
Comment on attachment 504755 [details] [diff] [review] patch Looks good.
Attachment #504755 - Flags: review?(bzbarsky) → review+
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.