Assertion failure: callerPrincipals->subsume(callerPrincipals, calleePrincipals), at js/src/jsobj.cpp:1346

RESOLVED FIXED in mozilla6

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
2 years ago

People

(Reporter: mats, Assigned: luke)

Tracking

Trunk
mozilla6
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(3 attachments)

(Reporter)

Description

6 years ago
Created attachment 531506 [details]
stack with some data

Assertion failure: callerPrincipals->subsume(callerPrincipals, calleePrincipals), at js/src/jsobj.cpp:1346


Up-to-date Linux x86-64 debug build; aborts shortly after start.
It's 100% reproducible (also after rebuild with empty $OBJDIR).
See attached stack for some data on the principals involved in the assert.

# hg ident
618cad1b1743 tip
Do you have a test case?

Comment 2

6 years ago
I see this on 32|64bit Linux and 32bit Mac as well. Windows builds pending.
(Reporter)

Comment 3

6 years ago
Using a clean profile, load http://english.aljazeera.net/watch_now/
I get it too. How about a regression range?
Keywords: regressionwindow-wanted
(Assignee)

Comment 5

6 years ago
This is an extension of the issue in bug 651298.  It is probably just be a matter of relaxing the assert or using the slower object principal finder instead of relying on the compartment's principals.  The underlying issue is that we cheat to make document.domain work and break what would otherwise be reasonable invariants.  Like practically everything these days, bug 650353 would allow this assert to hold, hence whatever we do in the interim is temporary.

Comment 6

6 years ago
definitely windows as well. Another url:

http://www.msnbc.msn.com/id/42953750/ns/us_news-life/t/doc-woman-stranded-weeks-was-close-dying/?GT1=43001

plus 104 others so far.
OS: Linux → All
Hardware: x86_64 → All
(Assignee)

Comment 7

6 years ago
Created attachment 531781 [details] [diff] [review]
use object principals finder instead of compartment->principals

mrbkap and I looked at one of these under gdb and it is the document.domain trickery.  Same fix as before.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #531781 - Flags: review?(mrbkap)

Updated

6 years ago
Attachment #531781 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 8

6 years ago
http://hg.mozilla.org/tracemonkey/rev/5f2b3783cdd6
Whiteboard: fixed-in-tracemonkey

Comment 9

6 years ago
how often do we get mc<->tracemonkey merges? once a week? any chance of getting this onto mc sooner?
(Assignee)

Comment 10

6 years ago
Can do; I'll land it on mc as soon as it goes green on tm.
(Assignee)

Comment 11

6 years ago
... and its a good thing I did.  xpcshell is doing some weird things with its fake principals manager.  Will look at this tomorrow.

Backed out:
http://hg.mozilla.org/tracemonkey/rev/5b479a987cda
Whiteboard: fixed-in-tracemonkey
(Assignee)

Comment 12

6 years ago
Relanded and stuck:
http://hg.mozilla.org/tracemonkey/rev/16b4d6aa5b2b
Whiteboard: fixed-in-tracemonkey
(Assignee)

Comment 13

6 years ago
http://hg.mozilla.org/mozilla-central/rev/16b4d6aa5b2b
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED

Comment 14

6 years ago
I'm in the middle of retesting the urls where I saw this assertion. It appears that it still occurs at http://www.sfr.fr/mobile/telephone-portable/apple-iphone-4-16go-noir?vue=000029 on WinXP on a nightly build from 5/19. File a new bug?
(Assignee)

Comment 15

6 years ago
#3  in js::PrincipalsForCompiledCode at jsobj.cpp:1346
(gdb) p calleePrincipals->codebase
$1 = "http://www.sfr.fr/mobile/telephone-portable/apple-iphone-4-16go-noir?vue=000029"
(gdb) p callerPrincipals->codebase
$2 = "http://www.sfr.fr/mobile/edito/tcommerce/inqChat.html?IFRAME"

Blake: can we just drop this assertion?  Seems to be more of this document.domain-hack-leakage that I thought you explained was technically ok.
Yeah, I guess so... Do we have compartment-per-global yet?
(Assignee)

Comment 17

6 years ago
(In reply to comment #16)
> Yeah, I guess so... Do we have compartment-per-global yet?

I'll go poke bent.
(Assignee)

Comment 18

6 years ago
Created attachment 536643 [details] [diff] [review]
kill the assert
Attachment #536643 - Flags: review?(mrbkap)

Updated

6 years ago
Attachment #536643 - Flags: review?(mrbkap) → review+
(Assignee)

Comment 19

6 years ago
http://hg.mozilla.org/tracemonkey/rev/c8e12e8c281b

Updated

6 years ago
Depends on: 672026
Target Milestone: --- → mozilla6
Keywords: regressionwindow-wanted
You need to log in before you can comment on or make changes to this bug.