688364 - compartment mismatch when sharing with F1

Status: RESOLVED DUPLICATE of bug 679494

(Core :: DOM: Core & HTML, defect)

Description

[Christopher Blizzard (:blizzard)]

1. Open this URL: http://people.mozilla.com/~mclaypotch/jscagematch/rainbow.gif
2. Share to twitter with F1.
3. Get a crash/assertion.

In a debugger, this was the stack trace:

 	ntdll.dll!_NtRaiseException@12()  + 0x12 bytes	
 	ntdll.dll!_NtRaiseException@12()  + 0x12 bytes	
 	mozjs.dll!js::gc::Cell::isMarked(unsigned int color)  Line 518	C++
>	mozjs.dll!js::CompartmentChecker::fail(JSCompartment * c1, JSCompartment * c2)  Line 121 + 0x11 bytes	C++
 	mozjs.dll!js::CompartmentChecker::check(JSCompartment * c)  Line 137 + 0x10 bytes	C++
 	mozjs.dll!js::CompartmentChecker::check(JSString * str)  Line 151	C++
 	mozjs.dll!js::CompartmentChecker::check(const js::Value & v)  Line 158	C++
 	mozjs.dll!js::assertSameCompartment<JSObject *,js::Value>(JSContext * cx, JSObject * t1, js::Value t2)  Line 229	C++
 	mozjs.dll!js::CallJSPropertyOp(JSContext * cx, int (JSContext *, JSObject *, jsid, js::Value *)* op, JSObject * receiver, jsid id, js::Value * vp)  Line 328 + 0x17 bytes	C++
 	mozjs.dll!js::Shape::get(JSContext * cx, JSObject * receiver, JSObject * obj, JSObject * pobj, js::Value * vp)  Line 283 + 0x51 bytes	C++
 	mozjs.dll!js_NativeGetInline(JSContext * cx, JSObject * receiver, JSObject * obj, JSObject * pobj, const js::Shape * shape, unsigned int getHow, js::Value * vp)  Line 5218 + 0x1c bytes	C++
 	mozjs.dll!js_GetPropertyHelperWithShapeInline(JSContext * cx, JSObject * obj, JSObject * receiver, jsid id, unsigned int getHow, js::Value * vp, const js::Shape * * shapeOut, JSObject * * holderOut)  Line 5400 + 0x21 bytes	C++
 	mozjs.dll!js_GetPropertyHelperInline(JSContext * cx, JSObject * obj, JSObject * receiver, jsid id, unsigned int getHow, js::Value * vp)  Line 5421 + 0x25 bytes	C++
 	mozjs.dll!js_GetPropertyHelper(JSContext * cx, JSObject * obj, jsid id, unsigned int getHow, js::Value * vp)  Line 5427 + 0x1d bytes	C++
 	mozjs.dll!js::Interpret(JSContext * cx, js::StackFrame * entryFrame, unsigned int inlineCallCount, js::InterpMode interpMode)  Line 4095 + 0x74 bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx, JSScript * script, js::StackFrame * fp)  Line 613 + 0x11 bytes	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, js::ConstructOption option)  Line 694 + 0x11 bytes	C++
 	mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval)  Line 816 + 0xf bytes	C++
 	mozjs.dll!js::JSProxyHandler::call(JSContext * cx, JSObject * proxy, unsigned int argc, js::Value * vp)  Line 273 + 0x31 bytes	C++
 	mozjs.dll!JSWrapper::call(JSContext * cx, JSObject * wrapper, unsigned int argc, js::Value * vp)  Line 250 + 0x43 bytes	C++
 	mozjs.dll!JSCrossCompartmentWrapper::call(JSContext * cx, JSObject * wrapper, unsigned int argc, js::Value * vp)  Line 652 + 0x18 bytes	C++
 	mozjs.dll!js::JSProxy::call(JSContext * cx, JSObject * proxy, unsigned int argc, js::Value * vp)  Line 839 + 0x28 bytes	C++
 	mozjs.dll!js::proxy_Call(JSContext * cx, unsigned int argc, js::Value * vp)  Line 1104 + 0x15 bytes	C++
 	mozjs.dll!js::CallJSNative(JSContext * cx, int (JSContext *, unsigned int, js::Value *)* native, unsigned int argc, js::Value * vp)  Line 277 + 0xf bytes	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, js::ConstructOption option)  Line 649 + 0x22 bytes	C++
 	mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval)  Line 816 + 0xf bytes	C++
 	mozjs.dll!JS_CallFunctionValue(JSContext * cx, JSObject * obj, jsval_layout fval, unsigned int argc, jsval_layout * argv, jsval_layout * rval)  Line 5080 + 0x45 bytes	C++
 	xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper, unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * nativeParams)  Line 1662 + 0x38 bytes	C++
 	xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * params)  Line 587	C++
 	xul.dll!PrepareAndDispatch(nsXPTCStubBase * self, unsigned int methodIndex, unsigned int * args, unsigned int * stackBytesToPop)  Line 114 + 0x21 bytes	C++
 	xul.dll!SharedStub()  Line 142	C++
 	xul.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct, nsIDOMEventListener * aListener, nsIDOMEvent * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aPhaseFlags, nsCxPusher * aPusher)  Line 1142 + 0x12 bytes	C++
 	xul.dll!nsEventListenerManager::HandleEventInternal(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher)  Line 1239 + 0x27 bytes	C++
 	xul.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher)  Line 147	C++
 	xul.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, int aMayHaveNewListenerManagers, nsCxPusher * aPusher)  Line 216	C++
 	xul.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, nsDispatchingCallback * aCallback, int aMayHaveNewListenerManagers, nsCxPusher * aPusher)  Line 346	C++
 	xul.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, nsDispatchingCallback * aCallback, nsCOMArray<nsPIDOMEventTarget> * aTargets)  Line 648 + 0x1e bytes	C++
 	xul.dll!PostMessageEvent::Run()  Line 6015 + 0x2f bytes	C++
 	xul.dll!nsThread::ProcessNextEvent(int mayWait, int * result)  Line 618 + 0x19 bytes	C++
 	xul.dll!NS_ProcessNextEvent_P(nsIThread * thread, int mayWait)  Line 245 + 0x16 bytes	C++
 	xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate)  Line 110 + 0xe bytes	C++
 	xul.dll!MessageLoop::RunInternal()  Line 219	C++
 	xul.dll!MessageLoop::RunHandler()  Line 203	C++
 	xul.dll!MessageLoop::Run()  Line 177	C++
 	xul.dll!nsBaseAppShell::Run()  Line 191	C++
 	xul.dll!nsAppShell::Run()  Line 249 + 0x9 bytes	C++
 	xul.dll!nsAppStartup::Run()  Line 222 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc, char * * argv, const nsXREAppData * aAppData)  Line 3686 + 0x25 bytes	C++
 	firefox.exe!NS_internal_main(int argc, char * * argv)  Line 158 + 0x12 bytes	C++
 	firefox.exe!wmain(int argc, wchar_t * * argv)  Line 106 + 0xd bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 552 + 0x19 bytes	C
 	firefox.exe!wmainCRTStartup()  Line 371	C
 	kernel32.dll!@BaseThreadInitThunk@12()  + 0x12 bytes	
 	ntdll.dll!___RtlUserThreadStart@8()  + 0x27 bytes	
 	ntdll.dll!__RtlUserThreadStart@8()  + 0x1b bytes

Comment 1

[Johnny Stenback (:jst)]

Blake, can you have a look here? Marking sg:critical? since that's what we typically do with compartment mismatches.

Comment 2

[Daniel Veditz [:dveditz]]

Is this strictly a problem with what the add-on is doing alone, or does the page content influence the crash? If the former it might be sg:moderate rather than critical, although some other addon might be doing similar things in actions that could theoretically be triggered by content.

Comment 3

[Blake Kaplan (:mrbkap) (inactive)]

This has already been fixed on trunk by bug 679494.