"Assertion failure: !js::IsCrossCompartmentWrapper(obj)" adopting marquee

RESOLVED FIXED in mozilla25

Status

()

--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: jruderman, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla25
x86_64
Mac OS X
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(4 attachments)

(Reporter)

Description

6 years ago
Created attachment 782360 [details]
testcase

Assertion failure: !js::IsCrossCompartmentWrapper(obj), at js/xpconnect/wrappers/XrayWrapper.cpp:1281
(Reporter)

Comment 1

6 years ago
Created attachment 782361 [details]
stack
Flags: needinfo?(bobbyholley+bmo)
Created attachment 782670 [details] [diff] [review]
Bonus Fix - Flip custom scope automtion prefs for 449149-1{a,b}.html. v1

I noticed this while making the crashtest here.

This was done before we flipped the default to make reftests always run with
dom.use_xbl_scopes_for_remote_xul=false (see reftest-cmdline.js). So to get
the full test coverage we're looking for here, we need to force the opposite
pref.
Attachment #782670 - Flags: review?(bzbarsky)
Created attachment 782676 [details] [diff] [review]
Loosen assertion. v1

This is just an overzealous assertion, rather than a security issue. But Jesse's
testcase here has interesting implications - it runs XBL code that uses
setTimeout, and then adopts the bound node into another compartment, which
rejiggers its prototype chain to correspond to a new XBL scope. I think we
should handle this all well, but I want to give Boris a chance to brainstorm
potential issues before opening this bug up.
Attachment #782676 - Flags: review?(bzbarsky)
Comment on attachment 782670 [details] [diff] [review]
Bonus Fix - Flip custom scope automtion prefs for 449149-1{a,b}.html. v1

>automtion

automation.

r=me
Attachment #782670 - Flags: review?(bzbarsky) → review+
Comment on attachment 782676 [details] [diff] [review]
Loosen assertion. v1

r=me
Attachment #782676 - Flags: review?(bzbarsky) → review+
I think we agree at this point that this isn't a security issue.
Group: core-security
So, the reftest harness borks because it doesn't recognize the pref (which is in all.js). jgriffin says we could fix this by adding the pref to http://mxr.mozilla.org/mozilla-central/source/layout/tools/reftest/bootstrap.js, but it's probably easier to just disable the test on android.

https://hg.mozilla.org/integration/mozilla-inbound/rev/33c659c7b3b0
You need to log in before you can comment on or make changes to this bug.