Closed Bug 608987 Opened 15 years ago Closed 15 years ago

Assertion failure: compartment mismatched setting up plugin proto chain

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: bc, Assigned: gal)

References

(
URL
)

Details

(Keywords: assertion, regression, Whiteboard: hardblocker)

Attachments

(1 file)

Untested but likely fix.
750 bytes, patch
gal
: review+
Details | Diff | Splinter Review
1. http://internet-speed.ru/ or http://blog.techsatish.net/2010/10/illavarasi-11-10-10.html 2. *** Compartment mismatch 078E0398 vs. 067C5080 Assertion failure: compartment mismatched, at c:\work\mozilla\builds\2.0.0\mozilla\js\src\jscntxtinlines.h:541 Operating system: Windows NT 5.1.2600 Service Pack 3 CPU: x86 GenuineIntel family 6 model 44 stepping 2 1 CPU Crash reason: EXCEPTION_ACCESS_VIOLATION_WRITE Crash address: 0x0 Thread 0 (crashed) 0 mozjs.dll!JS_Assert [jsutil.cpp : 73 + 0x0] eip = 0x007f19fa esp = 0x0012d294 ebp = 0x0012d294 ebx = 0x00000000 esi = 0x00ffff88 edi = 0x00000000 eax = 0x00000000 ecx = 0x9fc1f70f edx = 0x00613d38 efl = 0x00010202 Found by: given as instruction pointer in context 1 mozjs.dll!js::CompartmentChecker::fail(JSCompartment *,JSCompartment *) [jscntxtinlines.h : 541 + 0x13] eip = 0x0067e54d esp = 0x0012d29c ebp = 0x0012d2a8 Found by: call frame info 2 mozjs.dll!js::CompartmentChecker::check(JSCompartment *) [jscntxtinlines.h : 549 + 0xf] eip = 0x0067e4fb esp = 0x0012d2b0 ebp = 0x0012d2bc Found by: call frame info 3 mozjs.dll!js::CompartmentChecker::check(JSObject *) [jscntxtinlines.h : 557 + 0x10] eip = 0x0067e49e esp = 0x0012d2c4 ebp = 0x0012d2cc Found by: call frame info 4 mozjs.dll!js::assertSameCompartment<JSObject *>(JSContext *,JSObject *) [jscntxtinlines.h : 624 + 0xb] eip = 0x0067e711 esp = 0x0012d2d4 ebp = 0x0012d2e0 Found by: call frame info 5 mozjs.dll!JS_GetPrototype [jsapi.cpp : 2886 + 0xc] eip = 0x00666651 esp = 0x0012d2e8 ebp = 0x0012d300 Found by: call frame info 6 xul.dll!IsObjInProtoChain [nsDOMClassInfo.cpp : 9432 + 0xd] eip = 0x10cec2cd esp = 0x0012d308 ebp = 0x0012d330 Found by: call frame info 7 xul.dll!nsHTMLPluginObjElementSH::SetupProtoChain(nsIXPConnectWrappedNative *,JSContext *,JSObject *) [nsDOMClassInfo.cpp : 9520 + 0x10] eip = 0x10cec0a1 esp = 0x0012d338 ebp = 0x0012d3c0 Found by: call frame info
blocking2.0: --- → betaN+
Reproduced. Thanks bob.
Assignee: general → gal
Oh, good. I've been trying to reproduce and get a testcase for this one but haven't been able to do so. I'll try to capture it now in case the ad cycle that crashes is back.
I haven't been able to reproduce this but I don't see any other code that enters the proper compartment when we're setting up the proto chain for a plugin object. This should ensure that we always do that, and should fix this bug.
Attachment #503013 - Flags: review?(gal)
Attachment #503013 - Flags: review?(gal) → review+
Whiteboard: hardblocker
Landed. http://hg.mozilla.org/mozilla-central/rev/a0e53f1d294a
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
This needed the following change as well: http://hg.mozilla.org/mozilla-central/rev/990a97e175e3
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: