"ASSERTION: ownerDocument changed again after adopting!" with mutation event

RESOLVED FIXED in Firefox 5

Status

()

defect
RESOLVED FIXED
9 years ago
2 months ago

People

(Reporter: jruderman, Assigned: peterv)

Tracking

(Blocks 2 bugs, {assertion, testcase})

Trunk
mozilla5
x86
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox5 fixed, blocking1.9.2 .18+, status1.9.2 .18-fixed, status1.9.1 .20-fixed)

Details

(Whiteboard: [sg:high?] [qa-examined-192])

Attachments

(4 attachments, 1 obsolete attachment)

Reporter

Description

9 years ago
Posted file testcase
###!!! ASSERTION: ownerDocument changed again after adopting!: 'HasSameOwnerDoc(newContent) && doc == GetOwnerDoc()', file content/base/src/nsGenericElement.cpp, line 4066
Reporter

Comment 1

9 years ago
Posted file stack trace
Assignee

Comment 3

8 years ago
Closing this. Having a node in one document with a different ownerDocument might lead to cross-origin information leaks?
Blocks: 418755
Group: core-security
Whiteboard: [sg:high?]
Assignee

Comment 4

8 years ago
Posted patch v1 (obsolete) — Splinter Review
Needs some more testing.
Assignee: nobody → peterv
Status: NEW → ASSIGNED
Assignee

Comment 5

8 years ago
Posted patch v1.1Splinter Review
Attachment #513082 - Attachment is obsolete: true
Attachment #517440 - Flags: review?(bzbarsky)
Comment on attachment 517440 [details] [diff] [review]
v1.1

r=me
Attachment #517440 - Flags: review?(bzbarsky) → review+
Assignee

Comment 7

8 years ago
http://hg.mozilla.org/mozilla-central/rev/12ea0bd80e2e
Status: ASSIGNED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Assignee

Updated

8 years ago
Attachment #517440 - Flags: approval1.9.2.18?
Attachment #517440 - Flags: approval1.9.1.20?
blocking1.9.2: --- → .18+
Target Milestone: --- → mozilla5
Comment on attachment 517440 [details] [diff] [review]
v1.1

Is this patch really going to work on the branches as-is?

Comment 9

8 years ago
Need an answer to comment 8 before we can approve.
Whiteboard: [sg:high?] → [sg:high?][need answer to comment 8 from peterv]
Assignee

Comment 10

8 years ago
Posted patch v1.1 (branch)Splinter Review
Here's the patch merged to the 1.9.2 branch.
Attachment #533336 - Flags: approval1.9.2.18?
Attachment #533336 - Flags: approval1.9.1.20?
Assignee

Updated

8 years ago
Attachment #517440 - Flags: approval1.9.2.18?
Attachment #517440 - Flags: approval1.9.1.20?
Comment on attachment 533336 [details] [diff] [review]
v1.1 (branch)

Approved for 1.9.2.18 and 1.9.1.20, a=dveditz for release-drivers
Attachment #533336 - Flags: approval1.9.2.18?
Attachment #533336 - Flags: approval1.9.2.18+
Attachment #533336 - Flags: approval1.9.1.20?
Attachment #533336 - Flags: approval1.9.1.20+
Assignee

Comment 12

8 years ago
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/b86d93d36a78
Whiteboard: [sg:high?][need answer to comment 8 from peterv] → [sg:high?]
Whiteboard: [sg:high?] → [sg:high?] [qa-examined-192]
Group: core-security
Component: DOM → DOM: Core & HTML
Product: Core → Core
You need to log in before you can comment on or make changes to this bug.