"ASSERTION: Wrong scope, this is really bad!" with document.write on vanished about:blank

VERIFIED FIXED in Firefox 10

Status

()

Core
Document Navigation
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: hsivonen)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla11
x86_64
Mac OS X
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite ?

Firefox Tracking Flags

(firefox8- wontfix, firefox9+ wontfix, firefox10+ verified, firefox11+ verified, firefox-esr1010+ verified, blocking1.9.2 .26+, status1.9.2 .26-fixed)

Details

(Whiteboard: [sg:critical][qa+] fixed by 693399)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 565880 [details]
testcase

###!!! ASSERTION: Wrong scope, this is really bad!: 'JS_GetGlobalForObject(cx, obj) == newScope', file content/base/src/nsDocument.cpp, line 3811

In the testcase, |d| is a temporary "about:blank" document, even once |w.document| is the "data:text/html,2" document.
(Reporter)

Comment 1

6 years ago
Created attachment 565881 [details]
stack trace
status-firefox10: --- → affected
status-firefox8: --- → affected
status-firefox9: --- → affected
(Reporter)

Comment 2

6 years ago
Can be followed by:

###!!! ASSERTION: Uh, mDocument doesn't match the current inner window document!: '!GetCurrentInnerWindow() || GetCurrentInnerWindow()->GetExtantDocument() == mDocument', file dom/base/nsGlobalWindow.cpp, line 1840
This is fundamentally the same setup as bug 693399.
Depends on: 693399
Assignee: nobody → hsivonen
(Assignee)

Comment 4

6 years ago
Bug 693399 landed. When it is made public, it would make sense to land the test case from this bug as a crashtest.
Flags: in-testsuite?
Whiteboard: [sg:critical] fixed by 693399

Updated

6 years ago
status-firefox11: --- → affected
status-firefox8: affected → wontfix
tracking-firefox10: --- → +
tracking-firefox11: --- → +
tracking-firefox8: --- → -
tracking-firefox9: --- → +
Should now be fixed on mozilla-central. Still leaving the bug open until the test lands (might as well, we have bug 693399 for the test)
status-firefox11: affected → fixed
Target Milestone: --- → mozilla11

Updated

6 years ago
status-firefox10: affected → fixed
status-firefox9: affected → wontfix
(Reporter)

Comment 6

6 years ago
> Still leaving the bug open until the test lands

Please don't do that. It breaks stats and after-fix.
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
This bug appears to affect 3.6.x
blocking1.9.2: --- → ?
status1.9.2: --- → wanted
blocking1.9.2: ? → .26+
Whiteboard: [sg:critical] fixed by 693399 → [sg:critical][qa+] fixed by 693399
status1.9.2: wanted → .26-fixed
Verified on recent Fx10 and Fx11 debug builds. Prior to the fix running the test case would show an assertion in the shell, but on the recent builds only a warning appears.
status-firefox10: fixed → verified
status-firefox11: fixed → verified
Verified fixed in debug trunk.
Status: RESOLVED → VERIFIED

Updated

5 years ago
status-firefox-esr10: --- → fixed
tracking-firefox-esr10: --- → 10+
Group: core-security
Verified fixed in debug Firefox 10.0.5esrpre 2012-05-31.
status-firefox-esr10: fixed → verified
You need to log in before you can comment on or make changes to this bug.