Closed Bug 648206 Opened 9 years ago Closed 9 years ago

"ASSERTION: bad this object in get" or crash [@ xpc::holder_get] with InstallTrigger

Categories

(Core :: XPConnect, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla6
Tracking Status
firefox5 - affected
firefox6 --- fixed
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: jruderman, Assigned: mrbkap)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(3 files)

Symptoms are exactly the same as old bug 608963:

Debug:

###!!! ASSERTION: bad this object in set: 'wrapper->isProxy()', file js/src/xpconnect/wrappers/XrayWrapper.cpp, line 207

Assertion failure: isProxy(), at jsproxy.h:193

Opt:

Crash bp-8c6523b2-2b06-4848-9cbb-089062110406 [@ xpc::holder_set ]

Filing as security-sensitive because InstallTrigger/wrappers is a sensitive area.
Attached patch Proposed fix v1Splinter Review
So, this is one fix for this bug. The other fix that I considered (albeit not for very long) was just to throw in this case. In other words, you wouldn't be allowed to use an Xray wrapper as the prototype of another object. I wasn't sure if there might be a use-case for that though, so I backed off.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #525190 - Flags: review?(gal)
Comment on attachment 525190 [details] [diff] [review]
Proposed fix v1

Common out the code?
Attachment #525190 - Flags: review?(gal) → review+
This appears to have been merged to mozilla-central and is currently on Aurora(6) but not Beta(5). That's probably a fine state to be in since it's internally discovered and old supported releases don't have Xray wrappers.

Taking a swag at a sg:critical rating.
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey
Target Milestone: --- → mozilla6
Crash Signature: [@ xpc::holder_get]
Group: core-security
You need to log in before you can comment on or make changes to this bug.