Closed
Bug 693250
Opened 13 years ago
Closed 13 years ago
"ASSERTION: Wrong scope, this is really bad!" with document.write on vanished about:blank
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
People
(Reporter: jruderman, Assigned: hsivonen)
References
Details
(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa+] fixed by 693399)
Attachments
(2 files)
###!!! ASSERTION: Wrong scope, this is really bad!: 'JS_GetGlobalForObject(cx, obj) == newScope', file content/base/src/nsDocument.cpp, line 3811 In the testcase, |d| is a temporary "about:blank" document, even once |w.document| is the "data:text/html,2" document.
Reporter | ||
Comment 1•13 years ago
|
||
Reporter | ||
Comment 2•13 years ago
|
||
Can be followed by: ###!!! ASSERTION: Uh, mDocument doesn't match the current inner window document!: '!GetCurrentInnerWindow() || GetCurrentInnerWindow()->GetExtantDocument() == mDocument', file dom/base/nsGlobalWindow.cpp, line 1840
Comment 3•13 years ago
|
||
This is fundamentally the same setup as bug 693399.
Depends on: CVE-2012-0442
Updated•13 years ago
|
Assignee: nobody → hsivonen
Assignee | ||
Comment 4•13 years ago
|
||
Bug 693399 landed. When it is made public, it would make sense to land the test case from this bug as a crashtest.
Flags: in-testsuite?
Updated•13 years ago
|
Whiteboard: [sg:critical] fixed by 693399
Updated•13 years ago
|
status-firefox11:
--- → affected
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
tracking-firefox8:
--- → -
tracking-firefox9:
--- → +
Comment 5•13 years ago
|
||
Should now be fixed on mozilla-central. Still leaving the bug open until the test lands (might as well, we have bug 693399 for the test)
Target Milestone: --- → mozilla11
Updated•13 years ago
|
Reporter | ||
Comment 6•13 years ago
|
||
> Still leaving the bug open until the test lands
Please don't do that. It breaks stats and after-fix.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 7•13 years ago
|
||
This bug appears to affect 3.6.x
blocking1.9.2: --- → ?
status1.9.2:
--- → wanted
Updated•13 years ago
|
blocking1.9.2: ? → .26+
Whiteboard: [sg:critical] fixed by 693399 → [sg:critical][qa+] fixed by 693399
Updated•12 years ago
|
Comment 8•12 years ago
|
||
Verified on recent Fx10 and Fx11 debug builds. Prior to the fix running the test case would show an assertion in the shell, but on the recent builds only a warning appears.
Updated•12 years ago
|
status-firefox-esr10:
--- → fixed
tracking-firefox-esr10:
--- → 10+
Updated•12 years ago
|
Group: core-security
Comment 10•12 years ago
|
||
Verified fixed in debug Firefox 10.0.5esrpre 2012-05-31.
You need to log in
before you can comment on or make changes to this bug.
Description
•