If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

Assertion failure: compartment mismatched

RESOLVED FIXED

Status

()

Core
JavaScript Engine
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: bc, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, {assertion})

Trunk
x86
All
assertion
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking2.0 beta7+)

Details

(Whiteboard: [compartments][can land], URL)

Attachments

(4 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
mac os x 10.5 intel mozilla-central 29c228a4d7eb tip with

1. http://www.cnn.com/?refresh=1
2. 
*** Compartment mismatch 0x180e9a00 vs. 0x937800
Assertion failure: compartment mismatched, at /work/mozilla/builds/2.0.0/mozilla/js/src/jscntxtinlines.h:513


    # set uninitialized memory to 0xAA
    MallocPreScribble=1
    # set freed memory to 0x55
    MallocScribble=1
    # add guard pages before/after large allocs
    MallocGuardEdges=1
    # abort() if heap corruption detected
    MallocCheckHeapAbort=1
    # abort() if illegal free() called
    MallocBadFreeAbort=1

this may not be reliably reproducible.
blocking2.0: --- → ?
(Reporter)

Comment 1

7 years ago
search goodness: JS_Assert js::CompartmentChecker::fail js::CompartmentChecker::check js::CompartmentChecker::check js::CompartmentChecker::check
(Reporter)

Comment 2

7 years ago
Created attachment 483677 [details]
stack

I've run into this assertion often when running a debug build on Mac OS X 10.5. It seems to be related to loading http://www2.nelsoncountytimes.com/ in a tab, but may also be related to the other windows and tabs I have open.
(Reporter)

Comment 3

7 years ago
assertion is reproducible using spider to load <http://videos.tf1.fr/un-mari-de-trop/un-mari-de-trop-les-premieres-images-avec-lorie-et-alain-delon-6083730.html>

/work/mozilla/builds/2.0.0/mozilla/firefox-debug/dist/FirefoxDebug.app/Contents/MacOS/firefox  -P test -spider -url  http://videos.tf1.fr/un-mari-de-trop/un-mari-de-trop-les-premieres-images-avec-lorie-et-alain-delon-6083730.html -hook http://bc-centos5-64-01:5984/sisyphus/_design/bughunter/userhooks/test-crash-on-load.js -start -quit

*** Compartment mismatch 0x941e00 vs. 0xf2d800
Assertion failure: compartment mismatched, at /work/mozilla/builds/2.0.0/mozilla/js/src/jscntxtinlines.h:513
Bus error

It appears using spider with the userhook is required to reproduce. I'll attach the extension and the userhook script. You'll need to host the userhook script somewhere and adjust the hook url to point to it.
(Reporter)

Comment 4

7 years ago
Created attachment 483761 [details]
spider.xpi
(Reporter)

Comment 5

7 years ago
Created attachment 483762 [details]
test-crash-on-load.js

Updated

7 years ago
blocking2.0: ? → beta7+
(Assignee)

Updated

7 years ago
Assignee: general → mrbkap
(Reporter)

Comment 6

7 years ago
Note that I can reproduce this assertion on literally hundreds locally stored "test" pages running Spider with this userhook with trunk builds on xp and centos5. These pages do not crash or assert in 1.9.1, or 1.9.2 at all and did not do so in 2.0 until compartments landed.
OS: Mac OS X → All
(Assignee)

Comment 7

7 years ago
Created attachment 485175 [details] [diff] [review]
Proposed fix

This is actually for a different stack than the on in this bug. The stack for this bug (which I'll attach in a second) was trying to set up a plugin object. I think we already fixed the stack in the bug.

One thing to watch out for is that there are a ton of places that we can hit this assertion from. So, fixing one here might just "move" the assertion somewhere else; so Bob, if you hit more of these, please file new bugs on them with the stacks and we'll take one stack per bug.
Attachment #485175 - Flags: review?(jst)
(Assignee)

Comment 8

7 years ago
Created attachment 485176 [details]
stack fixed here
Attachment #483677 - Attachment is obsolete: true
(Assignee)

Updated

7 years ago
Whiteboard: [compartments]
jst will review and land asap.

Updated

7 years ago
Attachment #485175 - Flags: review?(jst) → review+

Updated

7 years ago
Blocks: 604783

Comment 10

7 years ago
This still needs to land.
Whiteboard: [compartments] → [compartments][can land]
(Assignee)

Comment 11

7 years ago
http://hg.mozilla.org/mozilla-central/rev/4691f4d9c25e
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.