Closed
Bug 688364
Opened 13 years ago
Closed 13 years ago
compartment mismatch when sharing with F1
Categories
(Core :: DOM: Core & HTML, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 679494
People
(Reporter: blizzard, Assigned: mrbkap)
Details
(Keywords: crash, Whiteboard: [sg:critical?])
1. Open this URL: http://people.mozilla.com/~mclaypotch/jscagematch/rainbow.gif 2. Share to twitter with F1. 3. Get a crash/assertion. In a debugger, this was the stack trace: ntdll.dll!_NtRaiseException@12() + 0x12 bytes ntdll.dll!_NtRaiseException@12() + 0x12 bytes mozjs.dll!js::gc::Cell::isMarked(unsigned int color) Line 518 C++ > mozjs.dll!js::CompartmentChecker::fail(JSCompartment * c1, JSCompartment * c2) Line 121 + 0x11 bytes C++ mozjs.dll!js::CompartmentChecker::check(JSCompartment * c) Line 137 + 0x10 bytes C++ mozjs.dll!js::CompartmentChecker::check(JSString * str) Line 151 C++ mozjs.dll!js::CompartmentChecker::check(const js::Value & v) Line 158 C++ mozjs.dll!js::assertSameCompartment<JSObject *,js::Value>(JSContext * cx, JSObject * t1, js::Value t2) Line 229 C++ mozjs.dll!js::CallJSPropertyOp(JSContext * cx, int (JSContext *, JSObject *, jsid, js::Value *)* op, JSObject * receiver, jsid id, js::Value * vp) Line 328 + 0x17 bytes C++ mozjs.dll!js::Shape::get(JSContext * cx, JSObject * receiver, JSObject * obj, JSObject * pobj, js::Value * vp) Line 283 + 0x51 bytes C++ mozjs.dll!js_NativeGetInline(JSContext * cx, JSObject * receiver, JSObject * obj, JSObject * pobj, const js::Shape * shape, unsigned int getHow, js::Value * vp) Line 5218 + 0x1c bytes C++ mozjs.dll!js_GetPropertyHelperWithShapeInline(JSContext * cx, JSObject * obj, JSObject * receiver, jsid id, unsigned int getHow, js::Value * vp, const js::Shape * * shapeOut, JSObject * * holderOut) Line 5400 + 0x21 bytes C++ mozjs.dll!js_GetPropertyHelperInline(JSContext * cx, JSObject * obj, JSObject * receiver, jsid id, unsigned int getHow, js::Value * vp) Line 5421 + 0x25 bytes C++ mozjs.dll!js_GetPropertyHelper(JSContext * cx, JSObject * obj, jsid id, unsigned int getHow, js::Value * vp) Line 5427 + 0x1d bytes C++ mozjs.dll!js::Interpret(JSContext * cx, js::StackFrame * entryFrame, unsigned int inlineCallCount, js::InterpMode interpMode) Line 4095 + 0x74 bytes C++ mozjs.dll!js::RunScript(JSContext * cx, JSScript * script, js::StackFrame * fp) Line 613 + 0x11 bytes C++ mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, js::ConstructOption option) Line 694 + 0x11 bytes C++ mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval) Line 816 + 0xf bytes C++ mozjs.dll!js::JSProxyHandler::call(JSContext * cx, JSObject * proxy, unsigned int argc, js::Value * vp) Line 273 + 0x31 bytes C++ mozjs.dll!JSWrapper::call(JSContext * cx, JSObject * wrapper, unsigned int argc, js::Value * vp) Line 250 + 0x43 bytes C++ mozjs.dll!JSCrossCompartmentWrapper::call(JSContext * cx, JSObject * wrapper, unsigned int argc, js::Value * vp) Line 652 + 0x18 bytes C++ mozjs.dll!js::JSProxy::call(JSContext * cx, JSObject * proxy, unsigned int argc, js::Value * vp) Line 839 + 0x28 bytes C++ mozjs.dll!js::proxy_Call(JSContext * cx, unsigned int argc, js::Value * vp) Line 1104 + 0x15 bytes C++ mozjs.dll!js::CallJSNative(JSContext * cx, int (JSContext *, unsigned int, js::Value *)* native, unsigned int argc, js::Value * vp) Line 277 + 0xf bytes C++ mozjs.dll!js::Invoke(JSContext * cx, const js::CallArgs & argsRef, js::ConstructOption option) Line 649 + 0x22 bytes C++ mozjs.dll!js::ExternalInvoke(JSContext * cx, const js::Value & thisv, const js::Value & fval, unsigned int argc, js::Value * argv, js::Value * rval) Line 816 + 0xf bytes C++ mozjs.dll!JS_CallFunctionValue(JSContext * cx, JSObject * obj, jsval_layout fval, unsigned int argc, jsval_layout * argv, jsval_layout * rval) Line 5080 + 0x45 bytes C++ xul.dll!nsXPCWrappedJSClass::CallMethod(nsXPCWrappedJS * wrapper, unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * nativeParams) Line 1662 + 0x38 bytes C++ xul.dll!nsXPCWrappedJS::CallMethod(unsigned short methodIndex, const XPTMethodDescriptor * info, nsXPTCMiniVariant * params) Line 587 C++ xul.dll!PrepareAndDispatch(nsXPTCStubBase * self, unsigned int methodIndex, unsigned int * args, unsigned int * stackBytesToPop) Line 114 + 0x21 bytes C++ xul.dll!SharedStub() Line 142 C++ xul.dll!nsEventListenerManager::HandleEventSubType(nsListenerStruct * aListenerStruct, nsIDOMEventListener * aListener, nsIDOMEvent * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aPhaseFlags, nsCxPusher * aPusher) Line 1142 + 0x12 bytes C++ xul.dll!nsEventListenerManager::HandleEventInternal(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher) Line 1239 + 0x27 bytes C++ xul.dll!nsEventListenerManager::HandleEvent(nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * * aDOMEvent, nsPIDOMEventTarget * aCurrentTarget, unsigned int aFlags, nsEventStatus * aEventStatus, nsCxPusher * aPusher) Line 147 C++ xul.dll!nsEventTargetChainItem::HandleEvent(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, int aMayHaveNewListenerManagers, nsCxPusher * aPusher) Line 216 C++ xul.dll!nsEventTargetChainItem::HandleEventTargetChain(nsEventChainPostVisitor & aVisitor, unsigned int aFlags, nsDispatchingCallback * aCallback, int aMayHaveNewListenerManagers, nsCxPusher * aPusher) Line 346 C++ xul.dll!nsEventDispatcher::Dispatch(nsISupports * aTarget, nsPresContext * aPresContext, nsEvent * aEvent, nsIDOMEvent * aDOMEvent, nsEventStatus * aEventStatus, nsDispatchingCallback * aCallback, nsCOMArray<nsPIDOMEventTarget> * aTargets) Line 648 + 0x1e bytes C++ xul.dll!PostMessageEvent::Run() Line 6015 + 0x2f bytes C++ xul.dll!nsThread::ProcessNextEvent(int mayWait, int * result) Line 618 + 0x19 bytes C++ xul.dll!NS_ProcessNextEvent_P(nsIThread * thread, int mayWait) Line 245 + 0x16 bytes C++ xul.dll!mozilla::ipc::MessagePump::Run(base::MessagePump::Delegate * aDelegate) Line 110 + 0xe bytes C++ xul.dll!MessageLoop::RunInternal() Line 219 C++ xul.dll!MessageLoop::RunHandler() Line 203 C++ xul.dll!MessageLoop::Run() Line 177 C++ xul.dll!nsBaseAppShell::Run() Line 191 C++ xul.dll!nsAppShell::Run() Line 249 + 0x9 bytes C++ xul.dll!nsAppStartup::Run() Line 222 + 0x1c bytes C++ xul.dll!XRE_main(int argc, char * * argv, const nsXREAppData * aAppData) Line 3686 + 0x25 bytes C++ firefox.exe!NS_internal_main(int argc, char * * argv) Line 158 + 0x12 bytes C++ firefox.exe!wmain(int argc, wchar_t * * argv) Line 106 + 0xd bytes C++ firefox.exe!__tmainCRTStartup() Line 552 + 0x19 bytes C firefox.exe!wmainCRTStartup() Line 371 C kernel32.dll!@BaseThreadInitThunk@12() + 0x12 bytes ntdll.dll!___RtlUserThreadStart@8() + 0x27 bytes ntdll.dll!__RtlUserThreadStart@8() + 0x1b bytes
Comment 1•13 years ago
|
||
Blake, can you have a look here? Marking sg:critical? since that's what we typically do with compartment mismatches.
Whiteboard: [sg:critical?]
Updated•13 years ago
|
Assignee: nobody → mrbkap
Comment 2•13 years ago
|
||
Is this strictly a problem with what the add-on is doing alone, or does the page content influence the crash? If the former it might be sg:moderate rather than critical, although some other addon might be doing similar things in actions that could theoretically be triggered by content.
status-firefox6:
--- → wontfix
status-firefox7:
--- → wontfix
status-firefox8:
--- → affected
status-firefox9:
--- → affected
tracking-firefox8:
--- → +
tracking-firefox9:
--- → +
Assignee | ||
Comment 3•13 years ago
|
||
This has already been fixed on trunk by bug 679494.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
Updated•13 years ago
|
Updated•13 years ago
|
Group: mozilla-confidential
status1.9.2:
--- → unaffected
Updated•13 years ago
|
Updated•13 years ago
|
Group: core-security
Group: mozilla-confidential
Updated•5 years ago
|
Component: DOM → DOM: Core & HTML
You need to log in
before you can comment on or make changes to this bug.
Description
•