Closed
Bug 670319
Opened 13 years ago
Closed 13 years ago
"ASSERTION: function object has parent of unknown class"
Categories
(Core :: XPConnect, defect)
Tracking
()
RESOLVED
FIXED
mozilla9
People
(Reporter: jruderman, Assigned: mrbkap)
Details
(Keywords: assertion, testcase, Whiteboard: [sg:critical?][qa-])
Attachments
(3 files)
168 bytes,
text/html
|
Details | |
4.77 KB,
text/plain
|
Details | |
1.02 KB,
patch
|
jst
:
review+
johnath
:
approval-mozilla-aurora+
johnath
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
###!!! ASSERTION: function object has parent of unknown class!: 'Error', file js/src/xpconnect/src/xpcwrappednative.cpp, line 1759 ###!!! ABORT: should have a slim wrapper: '!mFlattenedJSObject || IS_SLIM_WRAPPER(mFlattenedJSObject)', file js/src/xpconnect/src/xpccallcontext.cpp, line 199 Doesn't crash in opt. But the messages are scary, so security-sensitive for now.
Reporter | ||
Comment 1•13 years ago
|
||
Comment 2•13 years ago
|
||
In particular, funobj->getParent() is a vanilla Object in this case. |obj| is a Proxy. We're coming through XPC_WN_CallMethod here, not quickstubs.
Updated•13 years ago
|
Whiteboard: [need answer from mrbkap]
Updated•13 years ago
|
Whiteboard: [need answer from mrbkap] → [sg:critical?][need answer from mrbkap]
Updated•13 years ago
|
status-firefox5:
--- → wontfix
status-firefox6:
--- → wontfix
status-firefox7:
--- → affected
status-firefox8:
--- → affected
tracking-firefox5:
--- → -
tracking-firefox6:
--- → -
tracking-firefox7:
--- → +
tracking-firefox8:
--- → +
Comment 4•13 years ago
|
||
jst says mrbkap agreed with the sg:critical? rating.
Whiteboard: [sg:critical?][need answer from mrbkap] → [sg:critical?]
Comment 5•13 years ago
|
||
Blake, this bug has been sitting for a while, what's the next step here?
status-firefox9:
--- → affected
tracking-firefox9:
--- → +
Assignee | ||
Comment 6•13 years ago
|
||
The parent of the function object has to be either the security wrapper or the object itself. It can't be higher up on the prototype chain.
Attachment #556740 -
Flags: review?(jst)
Updated•13 years ago
|
Attachment #556740 -
Flags: review?(jst) → review+
Comment 7•13 years ago
|
||
mrbkap, can you get this landed, we'd like to consider this for branches too, and we're running really low on time for 7.
Assignee | ||
Comment 8•13 years ago
|
||
Sorry, this actually landed the other day: http://hg.mozilla.org/mozilla-central/rev/ec2131a5351d
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla9
Comment 9•13 years ago
|
||
Comment on attachment 556740 [details] [diff] [review] Proposed fix Assuming this just needs branch approvals? Or is there a compatibility reason you didn't request it?
Attachment #556740 -
Flags: approval-mozilla-beta?
Attachment #556740 -
Flags: approval-mozilla-aurora?
Comment 10•13 years ago
|
||
Comment on attachment 556740 [details] [diff] [review] Proposed fix We discussed this in triage and agreed to approve it for both, but we're worried, purely because of the code it touches. Can we get some deep thinking about how to QA possible failure scenarios, and what (if anything) Cheng might watch for in feedback?
Attachment #556740 -
Flags: approval-mozilla-beta?
Attachment #556740 -
Flags: approval-mozilla-beta+
Attachment #556740 -
Flags: approval-mozilla-aurora?
Attachment #556740 -
Flags: approval-mozilla-aurora+
Comment 11•13 years ago
|
||
Poke?
Assignee | ||
Comment 12•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/009c64b64cf3 https://hg.mozilla.org/releases/mozilla-beta/rev/bca60a88782d
Updated•13 years ago
|
status1.9.2:
--- → unaffected
Comment 13•13 years ago
|
||
qa- as no QA fix verification needed
Whiteboard: [sg:critical?] → [sg:critical?][qa-]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•