Created attachment 501938 [details] testcase 1 ###!!! ASSERTION: Why are we being called with a pending exception?: '!::JS_IsExceptionPending(mContext)', file dom/base/nsJSEnvironment.cpp, line 2014
Created attachment 501940 [details] testcase 2 Triggers the same assertion as testcase 1, plus this fatal assertion: Assertion failure: compartment mismatched, at js/src/jscntxtinlines.h:542 (JS_SetPendingException)
Make mismatches always blocking 2.0
Are you sure this is TM tip/m-c? I think I fixed this bug (the mismatch part).
The "compartment mismatch" part seems to be gone (mozilla-central badef0f336d2).
I can't judge the severity of the rest of the bug. jst?
This is not a security bug. Per mrbkap's debugging the problem here is that we call pushState() on an iframe, running on the calling window's context, then pushState() does its JSON serialization on the iframe's context and ends up leaving a pending exception hanging on that context. Then, next time we end up doing things on the iframe's context we see the pending exception and assert. While this is wrong, it's effectively harmless. Opening this bug up. mrbkap will look at this once Firefox 4 is out the door.
This has been fixed, presumably by Bug 637116.