Closed
Bug 713797
Opened 12 years ago
Closed 12 years ago
"ASSERTION: unable to transplant wrappers, probably OOM" with nearNativeStackLimit, document.write
Categories
(Core :: DOM: Navigation, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: jruderman, Assigned: bholley)
References
Details
(Keywords: assertion, sec-moderate, testcase, Whiteboard: [sg:moderate])
Attachments
(2 files)
With user_pref("javascript.options.methodjit_always", true); user_pref("javascript.options.typeinference", false); The testcase triggers on load: ###!!! ASSERTION: unable to transplant wrappers, probably OOM: 'Error', file dom/base/nsGlobalWindow.cpp, line 2102 And on quit: Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at jsapi.h:616 I can reproduce with https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1325012838/ but not with a local build. I guess it's just that fragile. The testcase is similar to the one in bug 700202 (fixed by sfink), while the first assertion failure is similar to the one in bug 660517 (fixed by waldo).
Reporter | ||
Comment 1•12 years ago
|
||
Comment 2•12 years ago
|
||
I think this will be fixed when we no longer push fake stack frames to enter compartments, but I haven't looked at it in a debugger to verify that.
Reporter | ||
Comment 3•12 years ago
|
||
Can you add a dependency for that?
Comment 4•12 years ago
|
||
Maybe [sg:moderate] because users won't be turning off type inference, or is that simply a way to more reliably reproduce with this testcase?
Whiteboard: [sg:moderate]
Reporter | ||
Comment 5•12 years ago
|
||
I'm pretty sure the TI=false requirement is just fragility of the testcase. nearNativeStackLimit testcases tend to be fragile like that :(
Whiteboard: [sg:moderate]
Comment 6•12 years ago
|
||
Just so it's better than blank we're going to stick with [sg:moderate] and blame it on the fragility, then.
Assignee: nobody → bobbyholley+bmo
Whiteboard: [sg:moderate]
Updated•12 years ago
|
Keywords: sec-moderate
Assignee | ||
Comment 7•12 years ago
|
||
I believe we just MOZ_CRASH now if the transplant fails, which means that this is at worst a DoS. Jesse, is this still reproducible?
Assignee | ||
Updated•12 years ago
|
Flags: needinfo?(jruderman)
Reporter | ||
Comment 8•12 years ago
|
||
WFM now. No assertions or crashes. JavaScript error: , line 0: too much recursion WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file ../../../dom/base/nsDOMClassInfo.cpp, line 6476 WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file ../../../dom/base/nsDOMClassInfo.cpp, line 7255 WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file ../../../../../content/html/document/src/nsHTMLDocument.cpp, line 1524 [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLDocument.write]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: file:///Users/jruderman/Desktop/a-a.html :: <TOP_LEVEL> :: line 10" data: no] 259
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(jruderman)
Resolution: --- → WORKSFORME
Updated•9 years ago
|
Group: core-security → core-security-release
Updated•7 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•