Closed Bug 713797 Opened 12 years ago Closed 12 years ago

"ASSERTION: unable to transplant wrappers, probably OOM" with nearNativeStackLimit, document.write

Categories

(Core :: DOM: Navigation, defect)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: jruderman, Assigned: bholley)

References

Details

(Keywords: assertion, sec-moderate, testcase, Whiteboard: [sg:moderate])

Attachments

(2 files)

With
  user_pref("javascript.options.methodjit_always", true);
  user_pref("javascript.options.typeinference", false);

The testcase triggers on load:
  ###!!! ASSERTION: unable to transplant wrappers, probably OOM: 'Error', file dom/base/nsGlobalWindow.cpp, line 2102

And on quit:
  Assertion failure: JSVAL_IS_DOUBLE_IMPL(data), at jsapi.h:616

I can reproduce with https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1325012838/ but not with a local build. I guess it's just that fragile.

The testcase is similar to the one in bug 700202 (fixed by sfink), while the first assertion failure is similar to the one in bug 660517 (fixed by waldo).
Attached file stack trace
I think this will be fixed when we no longer push fake stack frames to enter compartments, but I haven't looked at it in a debugger to verify that.
Can you add a dependency for that?
Maybe [sg:moderate] because users won't be turning off type inference, or is that simply a way to more reliably reproduce with this testcase?
Whiteboard: [sg:moderate]
I'm pretty sure the TI=false requirement is just fragility of the testcase. nearNativeStackLimit testcases tend to be fragile like that :(
Whiteboard: [sg:moderate]
Just so it's better than blank we're going to stick with [sg:moderate] and blame it on the fragility, then.
Assignee: nobody → bobbyholley+bmo
Whiteboard: [sg:moderate]
I believe we just MOZ_CRASH now if the transplant fails, which means that this is at worst a DoS.

Jesse, is this still reproducible?
Flags: needinfo?(jruderman)
WFM now.  No assertions or crashes.

JavaScript error: , line 0: too much recursion
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file ../../../dom/base/nsDOMClassInfo.cpp, line 6476
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x8000FFFF: file ../../../dom/base/nsDOMClassInfo.cpp, line 7255
WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file ../../../../../content/html/document/src/nsHTMLDocument.cpp, line 1524
[Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIDOMHTMLDocument.write]"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: file:///Users/jruderman/Desktop/a-a.html :: <TOP_LEVEL> :: line 10"  data: no]
259
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: needinfo?(jruderman)
Resolution: --- → WORKSFORME
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: