Closed Bug 623850 Opened 14 years ago Closed 13 years ago

"ASSERTION: Why are we being called with a pending exception?" in nsJSContext::CompileEventHandler after pushState

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 637116

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: assertion, testcase)

Attachments

(4 files)

testcase 1
527 bytes, text/html
Details
stack for testcase 1
1.57 KB, text/plain
Details
testcase 2
528 bytes, text/html
Details
stacks for testcase 2
17.68 KB, text/plain
Details
Attached file testcase 1 
###!!! ASSERTION: Why are we being called with a pending exception?: '!::JS_IsExceptionPending(mContext)', file dom/base/nsJSEnvironment.cpp, line 2014
Group: core-security
Attachment #501938 - Attachment is private: false
Attached file stack for testcase 1 

    
    

    
  

      
      
      
      

        Attached file
          
        testcase 2
      

    


  
Triggers the same assertion as testcase 1, plus this fatal assertion:

Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:542

(JS_SetPendingException)

    
    

    
  

      
      
      
      

        Attached file
          
        stacks for testcase 2
      

    


  

    
    

    
  
Make mismatches always blocking 2.0

    
  

          status2.0:
          --- → ?

    
    

    
  
Are you sure this is TM tip/m-c? I think I fixed this bug (the mismatch part).

    
    

    
  
The "compartment mismatch" part seems to be gone (mozilla-central badef0f336d2).

    
    

    
  
I can't judge the severity of the rest of the bug. jst?

          status2.0:
          ? → ---
Assignee: nobody → jst
Whiteboard: [sg:needinfo]

    
  
Whiteboard: [sg:needinfo]

    
    

    
  
This is not a security bug. Per mrbkap's debugging the problem here is that we call pushState() on an iframe, running on the calling window's context, then pushState() does its JSON serialization on the iframe's context and ends up leaving a pending exception hanging on that context. Then, next time we end up doing things on the iframe's context we see the pending exception and assert.

While this is wrong, it's effectively harmless. Opening this bug up. mrbkap will look at this once Firefox 4 is out the door.
Assignee: jst → mrbkap
Group: core-security

    
    

    
  
This has been fixed, presumably by Bug 637116.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Component: DOM → DOM: Core & HTML

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: