Closed
Bug 660517
Opened 13 years ago
Closed 13 years ago
"ASSERTION: unable to transplant wrappers, probably OOM"
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
mozilla6
People
(Reporter: jruderman, Assigned: Waldo)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical?] [landed m-c 6/27] [JST likes] fixed-in-tracemonkey [qa-])
Attachments
(3 files)
|
461 bytes,
text/html
|
Details | |
|
1.11 KB,
text/plain
|
Details | |
|
3.82 KB,
patch
|
mrbkap
:
review+
asa
:
approval-mozilla-aurora+
asa
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: unable to transplant wrappers, probably OOM: 'Error', file dom/base/nsGlobalWindow.cpp, line 2096 (It's not OOM.) And there are also several errors from chrome code in tabbrowser.xml and nsLoginManager.js, which is worrisome: JavaScript error: , line 0: uncaught exception: [Exception... "Could not convert Native argument arg 0 [nsIWebProgress.DOMWindow]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: chrome://browser/content/tabbrowser.xml :: <TOP_LEVEL> :: line 605" data: no] [Exception... "Could not convert Native argument arg 0 [nsIWebProgress.DOMWindow]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: resource:///components/nsLoginManager.js :: <TOP_LEVEL> :: line 285" data: no] JavaScript error: , line 0: uncaught exception: [Exception... "Could not convert Native argument arg 0 [nsIWebProgress.DOMWindow]" nsresult: "0x8057000a (NS_ERROR_XPC_BAD_CONVERT_NATIVE)" location: "JS frame :: chrome://browser/content/tabbrowser.xml :: <TOP_LEVEL> :: line 547" data: no]
|
Reporter | |
Comment 1•13 years ago
|
||
|
||
Comment 2•13 years ago
|
||
(In reply to comment #0) > (It's not OOM.) No, it's the next best thing: E4X! The exception and assertion stem from the fact that we refuse to wrap E4X objects in proxies. When we navigate back, we need to transplant the old outer window into a proxy, including its prototype. But that fails in this case. Is there any way that we can detect someone setting a wrapped native's prototype to an E4X object and throw then? Leaving this as security sensitive, though I'm not sure exactly what the consequences of a brain transplant failing are. My not-so-extensive experience says "zombies".
|
||
Comment 3•13 years ago
|
||
If we've got the wrong brain there's no telling what we could do, sg:high cross-origin stuff or maybe even sg:critical if there's chrome cross-compartment leakage.
Whiteboard: [sg:critical?]
|
||
Comment 4•13 years ago
|
||
Is there ever a reason to have an E4X object on a prototype chain?
|
|
||
Updated•13 years ago
|
status-firefox5:
--- → wontfix
status-firefox6:
--- → affected
status-firefox7:
--- → affected
tracking-firefox5:
--- → -
tracking-firefox6:
--- → +
tracking-firefox7:
--- → +
|
|
||
Comment 5•13 years ago
|
||
No.
|
Assignee | |
Comment 6•13 years ago
|
||
|
|
||
Updated•13 years ago
|
Attachment #539915 -
Flags: review?(mrbkap) → review+
|
|
||
Comment 8•13 years ago
|
||
Can we get this landed?
|
|
Assignee | |
Comment 9•13 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/a4d39f157859 Landed in TM 3.5h before comment 8. :-)
Component: XPConnect → JavaScript Engine
OS: Mac OS X → All
QA Contact: xpconnect → general
Hardware: x86_64 → All
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey
Target Milestone: --- → mozilla7
|
||
Comment 10•13 years ago
|
||
cdleary-bot mozilla-central merge info: http://hg.mozilla.org/mozilla-central/rev/a4d39f157859
|
|
||
Updated•13 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
|
|
||
Comment 11•13 years ago
|
||
This patch is good for 6, right? If so, please request beta approval for the patch!
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical?] fixed-in-tracemonkey → [sg:critical?][needs Firefox6 approval request/landing] fixed-in-tracemonkey
|
|
Assignee | |
Comment 12•13 years ago
|
||
Comment on attachment 539915 [details] [diff] [review] Does what it says on the box, haven't tested original yet but expect goodness Yeah, this should be good for aurora/beta/&c.
Attachment #539915 -
Flags: approval-mozilla-beta?
Attachment #539915 -
Flags: approval-mozilla-aurora?
|
||
Comment 13•13 years ago
|
||
We'll get to this approval requests on Monday's 2pm PT triage.
Whiteboard: [sg:critical?][needs Firefox6 approval request/landing] fixed-in-tracemonkey → [sg:critical?] [landed m-c 6/27] [JST likes] fixed-in-tracemonkey
|
|
||
Updated•13 years ago
|
Attachment #539915 -
Flags: approval-mozilla-beta?
Attachment #539915 -
Flags: approval-mozilla-beta+
Attachment #539915 -
Flags: approval-mozilla-aurora?
Attachment #539915 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 14•13 years ago
|
||
http://hg.mozilla.org/releases/mozilla-beta/rev/fda101def1ec I guess the m-a a? wasn't necessary, because this landed before the last train departure, so it was already in mozilla-aurora and only had to land in mozilla-beta. No biggie, I guess. :-)
Target Milestone: mozilla7 → mozilla6
|
|
||
Comment 15•13 years ago
|
||
Appears to be a regression, does not happen on the 1.9.2 branch (worst case: the assertion doesn't exist but the problem does).
status1.9.2:
--- → unaffected
Keywords: regression
|
||
Comment 16•13 years ago
|
||
qa+ for verification in Firefox 7 using the attached testcase
Whiteboard: [sg:critical?] [landed m-c 6/27] [JST likes] fixed-in-tracemonkey → [sg:critical?] [landed m-c 6/27] [JST likes] fixed-in-tracemonkey [qa+]
|
|
||
Comment 17•13 years ago
|
||
Changing to qa- as this is an assertion.
Whiteboard: [sg:critical?] [landed m-c 6/27] [JST likes] fixed-in-tracemonkey [qa+] → [sg:critical?] [landed m-c 6/27] [JST likes] fixed-in-tracemonkey [qa-]
|
|
||
Updated•13 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•