Closed Bug 779849 Opened 12 years ago Closed 12 years ago

Flash Plugin related Assertion failure: false (compartment mismatched)

Categories

(Core Graveyard :: Plug-ins, defect)

Product:
Core Graveyard
Component:
Plug-ins
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(firefox15+ verified, firefox16+ verified, firefox17+ verified, firefox-esr10 unaffected)

Status:
VERIFIED FIXED
Milestone:
mozilla17
Tracking Flags:
Tracking Status
firefox15 + verified
firefox16 + verified
firefox17 + verified
firefox-esr10 --- unaffected

People

(Reporter: bc, Assigned: billm)

References

(
URL
)

Details

(Keywords: assertion, crash, sec-critical, Whiteboard: [advisory-tracking+] regression from bug 771202)

Crash Data

Attachments

(1 file)

patch?
769 bytes, patch
bholley
: review+
lsblakk
: approval-mozilla-aurora+
lsblakk
: approval-mozilla-beta+
Details | Diff | Splinter Review 
1. http://www.blogs.com/topten/top-10-country-music-blogs/
   This occurs on many many urls not just this one. This is my current top crasher in crash automation.

2. Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227

Initially on Nightly this was a
###!!! ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020

but after bug 773830 was fixed it settled down into the Assertion. It is just the assertion on Beta and Aurora.


ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020
then Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227

Also crashed Nightly, Aurora (may need to reload)

bp-a9cd5c2f-db62-4383-85c4-a08672120802
Firefox 17.0a1 Crash Report [@ js::types::TypeObject::addPropertyType ] 
bp-723b5531-d568-4856-9977-3ee742120802
Firefox 15.0a2 Crash Report [@ js::gc::PushMarkStack ] 

Found regression between 20120712015541-20120712174703
Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=70d92a6ccdfa&tochange=6489be1890c0
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-12-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-13-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2

Found regression between 20120715024321-20120716024822
Pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=50963e16d1dc&tochange=d7602223c982
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-15-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-16-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2
(didn't see the ABORT here)

Found regression between 20120718210721-20120719120951
Pushlog: http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=b2487714085b&tochange=ebfad1bf8749
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-19-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-20-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2
(didn't see ABORT here)
Component: IPC → Plug-ins
Forgot to mention most if not all of the assertions I've seen have been just after loading Flash. This is not specific to 11.3 as it occurs on Linux with 11.2 as well.
Summary: Plugin related Assertion failure: false (compartment mismatched) → Flash Plugin related Assertion failure: false (compartment mismatched)
Attached patch patch?Splinter Review 
I don't know this code at all--even who to ask for review. But the fix looks relatively straightforward. There are two paths in GetNewOrUsed that return an existing object. One of them calls JS_WrapObject and the other one doesn't. On the page that crashes, we take the non-JS_WrapObject path and end up getting something from the wrong compartment.
Assignee: nobody → wmccloskey
Status: NEW → ASSIGNED
Attachment #648486 - Flags: review?(bobbyholley+bmo)
Attachment #648486 - Flags: review?(benjamin)
Also, this should probably be closed.
Group: core-security
Comment on attachment 648486 [details] [diff] [review]
patch?

Yes! You rock, bill.
Attachment #648486 - Flags: review?(bobbyholley+bmo) → review+
This fixes the crash in bug 774052. We should get this on beta ASAP.
Blocks: 774052
Comment on attachment 648486 [details] [diff] [review]
patch?

[Approval Request Comment]
Bug caused by (feature/regressing bug #): CPG, I assume
User impact if declined: Crashes, exploits.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Seems low, but I don't know this code well.
String or UUID changes made by this patch: None.
Attachment #648486 - Flags: review?(benjamin)
Attachment #648486 - Flags: approval-mozilla-beta?
Attachment #648486 - Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/4f774268e674
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
status-firefox17: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Attachment #648486 - Flags: approval-mozilla-beta?
Attachment #648486 - Flags: approval-mozilla-beta+
Attachment #648486 - Flags: approval-mozilla-aurora?
Attachment #648486 - Flags: approval-mozilla-aurora+
Please land this before EOD tomorrow so it can go into Beta 4 and we can have some bake time before final release.
Does this not affect ESR?
status-firefox-esr10: --- → ?
Whiteboard: [advisory-tracking+]
(In reply to Al Billings [:abillings] from comment #11)
> Does this not affect ESR?

I don't think so, but Bobby would know better. Bobby?
Bob implies it is a regression from July.
I don't test esr so can't say from experience whether this affects it or not. It would depend on if any of the responsible patches have landed there. If this is related to the Flash crash reporting then it is possible that esr is affected as well.
(In reply to Bill McCloskey (:billm) from comment #12)
> I don't think so, but Bobby would know better. Bobby?

This is a regression from bug 771202. I can't mark it because of circularity.
Whiteboard: [advisory-tracking+] → [advisory-tracking+] regression from bug 771202
If this is a regression frombug 771202, then it shouldn't affect ESR.
status-firefox-esr10: ?unaffected
Keywords: verifyme
I'm not able to reproduce this with the 2012-07-30 Firefox 17.0a1 debug build on Ubuntu 12.04 64-bit with Flash 11.2. Can someone provide some assistance here with the verification, either by doing some testing or by providing me with some guidance so I can reproduce it myself? Priority is getting it verified against Firefox 15.

Thanks
Keywords: verifyme
Whiteboard: [advisory-tracking+] regression from bug 771202 → [advisory-tracking+][qa?] regression from bug 771202
ashughes, do you have 32bit linux available?
(In reply to Bob Clary [:bc:] from comment #18)
> ashughes, do you have 32bit linux available?

I have an Ubuntu 11.10 32-bit VM -- will that work?
Worth a try.
Thanks Bob. I was able to reproduce this with Firefox 17.0a1 2012-07-30, Ubuntu 11.10 32-bit, and Flash 11.2. I'll now test to verify the fix.
Verified fixed with:
 * 2012-08-24 Firefox 17.0a1
 * 2012-08-24 Firefox 16.0a2
 * 2012-08-24 Firefox 15.0
Status: RESOLVED → VERIFIED
status-firefox15: fixedverified
status-firefox16: fixedverified
status-firefox17: fixedverified
QA Contact: anthony.s.hughes
Whiteboard: [advisory-tracking+][qa?] regression from bug 771202 → [advisory-tracking+] regression from bug 771202
Group: core-security
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: