Closed Bug 693250 Opened 13 years ago Closed 13 years ago

"ASSERTION: Wrong scope, this is really bad!" with document.write on vanished about:blank

Categories

(Core :: DOM: Navigation, defect)

Product:
Core
Component:
DOM: Navigation
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla11
Tracking Flags:
Tracking Status
firefox8 - wontfix
firefox9 + wontfix
firefox10 + verified
firefox11 + verified
firefox-esr10 10+ verified
blocking1.9.2 --- .26+
status1.9.2 --- .26-fixed

People

(Reporter: jruderman, Assigned: hsivonen)

References

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa+] fixed by 693399)

Attachments

(2 files)

testcase
419 bytes, text/html
Details
stack trace
1.26 KB, text/plain
Details
Attached file testcase 
###!!! ASSERTION: Wrong scope, this is really bad!: 'JS_GetGlobalForObject(cx, obj) == newScope', file content/base/src/nsDocument.cpp, line 3811

In the testcase, |d| is a temporary "about:blank" document, even once |w.document| is the "data:text/html,2" document.
Attached file stack trace 

    
    

    
  
Can be followed by:

###!!! ASSERTION: Uh, mDocument doesn't match the current inner window document!: '!GetCurrentInnerWindow() || GetCurrentInnerWindow()->GetExtantDocument() == mDocument', file dom/base/nsGlobalWindow.cpp, line 1840

    
    

    
  
This is fundamentally the same setup as bug 693399.
Depends on: CVE-2012-0442
Assignee: nobody → hsivonen

    
    

    
  
Bug 693399 landed. When it is made public, it would make sense to land the test case from this bug as a crashtest.
Flags: in-testsuite?
Whiteboard: [sg:critical] fixed by 693399

    
    

    
  
Should now be fixed on mozilla-central. Still leaving the bug open until the test lands (might as well, we have bug 693399 for the test)

          status-firefox11:
          affectedfixed
Target Milestone: --- → mozilla11

    
    

    
  
> Still leaving the bug open until the test lands

Please don't do that. It breaks stats and after-fix.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
This bug appears to affect 3.6.x
blocking1.9.2: --- → ?

          status1.9.2:
          --- → wanted
blocking1.9.2: ? → .26+

    
  
Whiteboard: [sg:critical] fixed by 693399 → [sg:critical][qa+] fixed by 693399

    
    

    
  
Verified on recent Fx10 and Fx11 debug builds. Prior to the fix running the test case would show an assertion in the shell, but on the recent builds only a warning appears.

          status-firefox10:
          fixedverified

          status-firefox11:
          fixedverified

    
    

    
  
Verified fixed in debug trunk.
Status: RESOLVED → VERIFIED
Group: core-security

    
    

    
  
Verified fixed in debug Firefox 10.0.5esrpre 2012-05-31.

          status-firefox-esr10:
          fixedverified

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: