Created attachment 714594 [details] testcase (takes about a minute) ###!!! ASSERTION: Bad type!: 'actor->Type() == Proxy', file dom/plugins/ipc/PluginScriptableObjectChild.cpp, line 63 I have the "Java Plugin" shim that comes with Mac OS X 10.8, but not Java. So the plugin is just trying to draw a "Missing Java" thing, repeatedly.
(In reply to Jesse Ruderman from comment #0) > ###!!! ASSERTION: Bad type!: 'actor->Type() == Proxy', file > dom/plugins/ipc/PluginScriptableObjectChild.cpp, line 63 This might have the same or a similar trigger as what we're seeing in bug 824069 - the PluginScriptableObjectChild being used was already deallocated, triggering a collection of weird behaviours around the ScriptableObjectChild.
Georg, can you suggest a security rating for this?
(In reply to Al Billings [:abillings] from comment #4) > Georg, can you suggest a security rating for this? Going over the severity rating description in the wiki i'd think sec-low to sec-moderate: Apparently a Java bug leading to a bad state in the plugin-container which should be rather hard to use in a controlled exploit. But i am familiar with the security approaches here, so please take that with a grain of salt.
WFM. (I let the testcase run for a few minutes, using a Tinderbox build built from 126563fd3ba1.) In bug 841916 comment 13, Georg suggested that bug 831768 might have fixed this.