Closed Bug 648206 Opened 15 years ago Closed 14 years ago

"ASSERTION: bad this object in get" or crash [@ xpc::holder_get] with InstallTrigger

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla6
Tracking Flags:
Tracking Status
firefox5 - affected
firefox6 --- fixed
status1.9.2 --- unaffected
status1.9.1 --- unaffected

People

(Reporter: jruderman, Assigned: mrbkap)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Crash Data

Attachments

(3 files)

testcase (crashes Firefox when loaded)
138 bytes, text/plain
Details
stack traces (mac debug)
11.25 KB, text/plain
Details
Proposed fix v1
2.77 KB, patch
gal
: review+
Details | Diff | Splinter Review
Symptoms are exactly the same as old bug 608963: Debug: ###!!! ASSERTION: bad this object in set: 'wrapper->isProxy()', file js/src/xpconnect/wrappers/XrayWrapper.cpp, line 207 Assertion failure: isProxy(), at jsproxy.h:193 Opt: Crash bp-8c6523b2-2b06-4848-9cbb-089062110406 [@ xpc::holder_set ] Filing as security-sensitive because InstallTrigger/wrappers is a sensitive area.
Attached patch Proposed fix v1Splinter Review
So, this is one fix for this bug. The other fix that I considered (albeit not for very long) was just to throw in this case. In other words, you wouldn't be allowed to use an Xray wrapper as the prototype of another object. I wasn't sure if there might be a use-case for that though, so I backed off.
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #525190 - Flags: review?(gal)
Comment on attachment 525190 [details] [diff] [review] Proposed fix v1 Common out the code?
Attachment #525190 - Flags: review?(gal) → review+
This appears to have been merged to mozilla-central and is currently on Aurora(6) but not Beta(5). That's probably a fine state to be in since it's internally discovered and old supported releases don't have Xray wrappers. Taking a swag at a sg:critical rating.
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
status1.9.1: --- → unaffected
status1.9.2: --- → unaffected
status-firefox5: --- → affected
status-firefox6: --- → fixed
tracking-firefox5: --- → -
Resolution: --- → FIXED
Whiteboard: fixed-in-tracemonkey → [sg:critical?] fixed-in-tracemonkey
Target Milestone: --- → mozilla6
Crash Signature: [@ xpc::holder_get]
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: