Closed Bug 735090 Opened 13 years ago Closed 11 years ago

"ASSERTION: This is not supposed to fail!: 'Error'" with nearNativeStackLimit

Categories

(Core :: DOM: Core & HTML, defect)

Product:
Core
Component:
DOM: Core & HTML
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr31 --- wontfix
b2g-v2.2 --- unaffected

People

(Reporter: jruderman, Unassigned)

References

Details

(Keywords: assertion, sec-moderate, testcase)

Attachments

(3 files)

testcase
733 bytes, text/html
Details
stack trace
2.51 KB, text/plain
Details
testcase 2
926 bytes, text/html
Details
Attached file testcase
###!!! ASSERTION: Uh, mDocument doesn't match the current inner window document!: '!GetCurrentInnerWindow() || GetCurrentInnerWindow()->GetExtantDocument() == mDocument', file dom/base/nsGlobalWindow.cpp, line 1888 And during shutdown: ###!!! ASSERTION: scope has non-empty map: '0 == mMainThreadWrappedNativeProtoMap->Count()', file js/xpconnect/src/XPCWrappedNativeScope.cpp, line 287 Also, there's a leak of XPCNativeScriptableInfo, XPCWrappedNativeProto, and nsDOMClassInfo.
Attached file stack trace
I tested with a 64-bit Mac debug build from Tinderbox.  https://ftp.mozilla.org/pub/mozilla.org/firefox/tinderbox-builds/mozilla-central-macosx64-debug/1331584352/ To reproduce on another build, you might need to tweak the numeric argument to nearNativeStackLimit, fix bug 735081, or fix bug 735082.
Is the first assertion the same thing as bug 717488? or an unrelated way of triggering that warning? The shutdown assert doesn't seem like a security issue, more of a leak.
Attached file testcase 2
The first test case (and the second, with the nearNativeStackLimit changed to 4) now produce this: ###!!! ASSERTION: This is not supposed to fail!: 'Error', file /Users/amccreight/mz/cent3/js/xpconnect/src/nsXPConnect.cpp, line 996 WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /Users/amccreight/mz/cent3/dom/base/nsGlobalWindow.cpp, line 1686 ###!!! ASSERTION: Failed to get script global and holder: 'NS_SUCCEEDED(rv) && newInnerWindow->mJSObject && mInnerWindowHolder', file /Users/amccreight/mz/cent3/dom/base/nsGlobalWindow.cpp, line 1884 WARNING: NS_ENSURE_SUCCESS(rv, rv) failed with result 0x80004005: file /Users/amccreight/mz/cent3/dom/base/nsGlobalWindow.cpp, line 1890 ]]]] ++DOMWINDOW == 20 (0x11bc39c80) [serial = 20] [outer = 0x126c45000] WARNING: window not set for document!: file /Users/amccreight/mz/cent3/layout/base/nsDocumentViewer.cpp, line 1258 Segmentation fault It looks like what happens is that CreateNativeGlobalForInner fails due to hitting JS_CHECK_RECURSION in JSCompartment::wrap, then somehow we end up in SetNewDocument in the reUseInnerWindow case with currentInner equal to NULL, which this code does not really handle (there is a null check in one place oddly enough) and we get a null deref. That seems much less scary than the original assertion, and seems more like a DOM bug. I suppose by tweaking things more it is possible to recreate the original assertion, but I tried a handful of values and wasn't able to.
Summary: "ASSERTION: scope has non-empty map" with nearNativeStackLimit → "ASSERTION: This is not supposed to fail!: 'Error'" with nearNativeStackLimit
Component: XPConnect → DOM
Keywords: sec-moderate
Depends on: 732665
Blocks: 758577
Jesse, the dependent bug has now been fixed. Can you still reproduce this?
Flags: needinfo?(jruderman)
(I couldn't get any relevant assertions when I was testing this earlier today.)
Ok, I'm going to call this fixed then.
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(jruderman)
Resolution: --- → FIXED
Group: core-security → core-security-release
Group: core-security-release
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: