Closed
Bug 898939
Opened 11 years ago
Closed 11 years ago
"Assertion failure: !js::IsCrossCompartmentWrapper(obj)" adopting marquee
Categories
(Core :: XBL, defect)
Tracking
()
RESOLVED
FIXED
mozilla25
People
(Reporter: jruderman, Unassigned)
Details
(Keywords: assertion, testcase)
Attachments
(4 files)
344 bytes,
text/html
|
Details | |
9.77 KB,
text/plain
|
Details | |
1.83 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
2.84 KB,
patch
|
bzbarsky
:
review+
|
Details | Diff | Splinter Review |
Assertion failure: !js::IsCrossCompartmentWrapper(obj), at js/xpconnect/wrappers/XrayWrapper.cpp:1281
Reporter | ||
Comment 1•11 years ago
|
||
Updated•11 years ago
|
Flags: needinfo?(bobbyholley+bmo)
Comment 2•11 years ago
|
||
I noticed this while making the crashtest here. This was done before we flipped the default to make reftests always run with dom.use_xbl_scopes_for_remote_xul=false (see reftest-cmdline.js). So to get the full test coverage we're looking for here, we need to force the opposite pref.
Attachment #782670 -
Flags: review?(bzbarsky)
Comment 3•11 years ago
|
||
This is just an overzealous assertion, rather than a security issue. But Jesse's testcase here has interesting implications - it runs XBL code that uses setTimeout, and then adopts the bound node into another compartment, which rejiggers its prototype chain to correspond to a new XBL scope. I think we should handle this all well, but I want to give Boris a chance to brainstorm potential issues before opening this bug up.
Attachment #782676 -
Flags: review?(bzbarsky)
Comment 4•11 years ago
|
||
Comment on attachment 782670 [details] [diff] [review] Bonus Fix - Flip custom scope automtion prefs for 449149-1{a,b}.html. v1 >automtion automation. r=me
Attachment #782670 -
Flags: review?(bzbarsky) → review+
Comment 5•11 years ago
|
||
Comment on attachment 782676 [details] [diff] [review] Loosen assertion. v1 r=me
Attachment #782676 -
Flags: review?(bzbarsky) → review+
Comment 6•11 years ago
|
||
I think we agree at this point that this isn't a security issue.
Group: core-security
Comment 7•11 years ago
|
||
remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/6cfe97defc64 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/be1be387ce59 remote: https://hg.mozilla.org/integration/mozilla-inbound/rev/d41299f47cb0
Flags: needinfo?(bobbyholley+bmo)
Comment 8•11 years ago
|
||
So, the reftest harness borks because it doesn't recognize the pref (which is in all.js). jgriffin says we could fix this by adding the pref to http://mxr.mozilla.org/mozilla-central/source/layout/tools/reftest/bootstrap.js, but it's probably easier to just disable the test on android. https://hg.mozilla.org/integration/mozilla-inbound/rev/33c659c7b3b0
Comment 9•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/6cfe97defc64 https://hg.mozilla.org/mozilla-central/rev/be1be387ce59 https://hg.mozilla.org/mozilla-central/rev/d41299f47cb0 https://hg.mozilla.org/mozilla-central/rev/33c659c7b3b0
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla25
You need to log in
before you can comment on or make changes to this bug.
Description
•