Closed Bug 688364 Opened 9 years ago Closed 9 years ago

compartment mismatch when sharing with F1

Categories

(Core :: DOM: Core & HTML, defect)

6 Branch
x86_64
Windows 7
defect
Not set

Tracking

()

RESOLVED DUPLICATE of bug 679494
Tracking Status
firefox6 --- wontfix
firefox7 - wontfix
firefox8 - wontfix
firefox9 + fixed
firefox10 + fixed
status1.9.2 --- unaffected

People

(Reporter: blizzard, Assigned: mrbkap)

Details

(Keywords: crash, Whiteboard: [sg:critical?])

1. Open this URL: http://people.mozilla.com/~mclaypotch/jscagematch/rainbow.gif
2. Share to twitter with F1.
3. Get a crash/assertion.

In a debugger, this was the stack trace:

 	ntdll.dll!_NtRaiseException@12()  + 0x12 bytes	
 	ntdll.dll!_NtRaiseException@12()  + 0x12 bytes	
 	mozjs.dll!js::gc::Cell::isMarked(unsigned int color)  Line 518	C++
>	mozjs.dll!js::CompartmentChecker::fail(JSCompartment * c1, JSCompartment * c2)  Line 121 + 0x11 bytes	C++
 	mozjs.dll!js::CompartmentChecker::check(JSCompartment * c)  Line 137 + 0x10 bytes	C++
 	mozjs.dll!js::CompartmentChecker::check(JSString * str)  Line 151	C++
 	mozjs.dll!js::CompartmentChecker::check(const js::Value & v)  Line 158	C++
 	mozjs.dll!js::assertSameCompartment<JSObject *,js::Value>(JSContext * cx, JSObject * t1, js::Value t2)  Line 229	C++
 	mozjs.dll!js::CallJSPropertyOp(JSContext * cx, int (JSContext *, JSObject *, jsid, js::Value *)* op, JSObject * receiver, jsid id, js::Value * vp)  Line 328 + 0x17 bytes	C++
 	mozjs.dll!js::Shape::get(JSContext * cx, JSObject * receiver, JSObject * obj, JSObject * pobj, js::Value * vp)  Line 283 + 0x51 bytes	C++
 	mozjs.dll!js_NativeGetInline(JSContext * cx, JSObject * receiver, JSObject * obj, JSObject * pobj, const js::Shape * shape, unsigned int getHow, js::Value * vp)  Line 5218 + 0x1c bytes	C++
 	mozjs.dll!js_GetPropertyHelperWithShapeInline(JSContext * cx, JSObject * obj, JSObject * receiver, jsid id, unsigned int getHow, js::Value * vp, const js::Shape * * shapeOut, JSObject * * holderOut)  Line 5400 + 0x21 bytes	C++
 	mozjs.dll!js_GetPropertyHelperInline(JSContext * cx, JSObject * obj, JSObject * receiver, jsid id, unsigned int getHow, js::Value * vp)  Line 5421 + 0x25 bytes	C++
 	mozjs.dll!js_GetPropertyHelper(JSContext * cx, JSObject * obj, jsid id, unsigned int getHow, js::Value * vp)  Line 5427 + 0x1d bytes	C++
 	mozjs.dll!js::Interpret(JSContext * cx, js::StackFrame * entryFrame, unsigned int inlineCallCount, js::InterpMode interpMode)  Line 4095 + 0x74 bytes	C++
 	mozjs.dll!js::RunScript(JSContext * cx, JSScript * script, js::StackFrame * fp)  Line 613 + 0x11 bytes	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, js::ConstructOption option)  Line 694 + 0x11 bytes	C++
 	mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval)  Line 816 + 0xf bytes	C++
 	mozjs.dll!js::JSProxyHandler::call(JSContext * cx, JSObject * proxy, unsigned int argc, js::Value * vp)  Line 273 + 0x31 bytes	C++
 	mozjs.dll!JSWrapper::call(JSContext * cx, JSObject * wrapper, unsigned int argc, js::Value * vp)  Line 250 + 0x43 bytes	C++
 	mozjs.dll!JSCrossCompartmentWrapper::call(JSContext * cx, JSObject * wrapper, unsigned int argc, js::Value * vp)  Line 652 + 0x18 bytes	C++
 	mozjs.dll!js::JSProxy::call(JSContext * cx, JSObject * proxy, unsigned int argc, js::Value * vp)  Line 839 + 0x28 bytes	C++
 	mozjs.dll!js::proxy_Call(JSContext * cx, unsigned int argc, js::Value * vp)  Line 1104 + 0x15 bytes	C++
 	mozjs.dll!js::CallJSNative(JSContext * cx, int (JSContext *, unsigned int, js::Value *)* native, unsigned int argc, js::Value * vp)  Line 277 + 0xf bytes	C++
 	mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, js::ConstructOption option)  Line 649 + 0x22 bytes	C++
 	mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval)  Line 816 + 0xf bytes	C++
 	mozjs.dll!JS_CallFunctionValue(JSContext * cx, JSObject * obj, jsval_layout fval, unsigned int argc, jsval_layout * argv, jsval_layout * rval)  Line 5080 + 0x45 bytes	C++
 	xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper, unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * nativeParams)  Line 1662 + 0x38 bytes	C++
 	xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * params)  Line 587	C++
 	xul.dll!PrepareAndDispatch(nsXPTCStubBase * self, unsigned int methodIndex, unsigned int * args, unsigned int * stackBytesToPop)  Line 114 + 0x21 bytes	C++
 	xul.dll!SharedStub()  Line 142	C++
 	xul.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct, nsIDOMEventListener * aListener, nsIDOMEvent * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aPhaseFlags, nsCxPusher * aPusher)  Line 1142 + 0x12 bytes	C++
 	xul.dll!nsEventListenerManager::HandleEventInternal(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher)  Line 1239 + 0x27 bytes	C++
 	xul.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher)  Line 147	C++
 	xul.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, int aMayHaveNewListenerManagers, nsCxPusher * aPusher)  Line 216	C++
 	xul.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, nsDispatchingCallback * aCallback, int aMayHaveNewListenerManagers, nsCxPusher * aPusher)  Line 346	C++
 	xul.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, nsDispatchingCallback * aCallback, nsCOMArray<nsPIDOMEventTarget> * aTargets)  Line 648 + 0x1e bytes	C++
 	xul.dll!PostMessageEvent::Run()  Line 6015 + 0x2f bytes	C++
 	xul.dll!nsThread::ProcessNextEvent(int mayWait, int * result)  Line 618 + 0x19 bytes	C++
 	xul.dll!NS_ProcessNextEvent_P(nsIThread * thread, int mayWait)  Line 245 + 0x16 bytes	C++
 	xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate)  Line 110 + 0xe bytes	C++
 	xul.dll!MessageLoop::RunInternal()  Line 219	C++
 	xul.dll!MessageLoop::RunHandler()  Line 203	C++
 	xul.dll!MessageLoop::Run()  Line 177	C++
 	xul.dll!nsBaseAppShell::Run()  Line 191	C++
 	xul.dll!nsAppShell::Run()  Line 249 + 0x9 bytes	C++
 	xul.dll!nsAppStartup::Run()  Line 222 + 0x1c bytes	C++
 	xul.dll!XRE_main(int argc, char * * argv, const nsXREAppData * aAppData)  Line 3686 + 0x25 bytes	C++
 	firefox.exe!NS_internal_main(int argc, char * * argv)  Line 158 + 0x12 bytes	C++
 	firefox.exe!wmain(int argc, wchar_t * * argv)  Line 106 + 0xd bytes	C++
 	firefox.exe!__tmainCRTStartup()  Line 552 + 0x19 bytes	C
 	firefox.exe!wmainCRTStartup()  Line 371	C
 	kernel32.dll!@BaseThreadInitThunk@12()  + 0x12 bytes	
 	ntdll.dll!___RtlUserThreadStart@8()  + 0x27 bytes	
 	ntdll.dll!__RtlUserThreadStart@8()  + 0x1b bytes
Blake, can you have a look here? Marking sg:critical? since that's what we typically do with compartment mismatches.
Whiteboard: [sg:critical?]
Assignee: nobody → mrbkap
Is this strictly a problem with what the add-on is doing alone, or does the page content influence the crash? If the former it might be sg:moderate rather than critical, although some other addon might be doing similar things in actions that could theoretically be triggered by content.
This has already been fixed on trunk by bug 679494.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 679494
Group: mozilla-confidential
Group: core-security
Component: DOM → DOM: Core & HTML
You need to log in before you can comment on or make changes to this bug.