Note: There are a few cases of duplicates in user autocompletion which are being worked on.

Flash Plugin related Assertion failure: false (compartment mismatched)

VERIFIED FIXED in Firefox 15

Status

()

Core
Plug-ins
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: bc, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, crash, sec-critical})

Trunk
mozilla17
assertion, crash, sec-critical
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox15+ verified, firefox16+ verified, firefox17+ verified, firefox-esr10 unaffected)

Details

(Whiteboard: [advisory-tracking+] regression from bug 771202, crash signature, URL)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
1. http://www.blogs.com/topten/top-10-country-music-blogs/
   This occurs on many many urls not just this one. This is my current top crasher in crash automation.

2. Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227

Initially on Nightly this was a
###!!! ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020

but after bug 773830 was fixed it settled down into the Assertion. It is just the assertion on Beta and Aurora.


ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020
then Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227

Also crashed Nightly, Aurora (may need to reload)

bp-a9cd5c2f-db62-4383-85c4-a08672120802
Firefox 17.0a1 Crash Report [@ js::types::TypeObject::addPropertyType ] 
bp-723b5531-d568-4856-9977-3ee742120802
Firefox 15.0a2 Crash Report [@ js::gc::PushMarkStack ] 

Found regression between 20120712015541-20120712174703
Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=70d92a6ccdfa&tochange=6489be1890c0
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-12-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-13-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2

Found regression between 20120715024321-20120716024822
Pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=50963e16d1dc&tochange=d7602223c982
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-15-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-16-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2
(didn't see the ABORT here)

Found regression between 20120718210721-20120719120951
Pushlog: http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=b2487714085b&tochange=ebfad1bf8749
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-19-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-20-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2
(didn't see ABORT here)
Component: IPC → Plug-ins
(Reporter)

Comment 1

5 years ago
Forgot to mention most if not all of the assertions I've seen have been just after loading Flash. This is not specific to 11.3 as it occurs on Linux with 11.2 as well.
Summary: Plugin related Assertion failure: false (compartment mismatched) → Flash Plugin related Assertion failure: false (compartment mismatched)
(Assignee)

Comment 2

5 years ago
Created attachment 648486 [details] [diff] [review]
patch?

I don't know this code at all--even who to ask for review. But the fix looks relatively straightforward. There are two paths in GetNewOrUsed that return an existing object. One of them calls JS_WrapObject and the other one doesn't. On the page that crashes, we take the non-JS_WrapObject path and end up getting something from the wrong compartment.
Assignee: nobody → wmccloskey
Status: NEW → ASSIGNED
Attachment #648486 - Flags: review?(bobbyholley+bmo)
Attachment #648486 - Flags: review?(benjamin)
(Assignee)

Comment 3

5 years ago
Also, this should probably be closed.
Group: core-security
Comment on attachment 648486 [details] [diff] [review]
patch?

Yes! You rock, bill.
Attachment #648486 - Flags: review?(bobbyholley+bmo) → review+
This fixes the crash in bug 774052. We should get this on beta ASAP.
Blocks: 774052
tracking-firefox15: ? → +
tracking-firefox16: ? → +
tracking-firefox17: ? → +
(Assignee)

Comment 6

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/4f774268e674

It sounds like Bobby's review is enough here.
(Assignee)

Comment 7

5 years ago
Comment on attachment 648486 [details] [diff] [review]
patch?

[Approval Request Comment]
Bug caused by (feature/regressing bug #): CPG, I assume
User impact if declined: Crashes, exploits.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Seems low, but I don't know this code well.
String or UUID changes made by this patch: None.
Attachment #648486 - Flags: review?(benjamin)
Attachment #648486 - Flags: approval-mozilla-beta?
Attachment #648486 - Flags: approval-mozilla-aurora?

Comment 8

5 years ago
https://hg.mozilla.org/mozilla-central/rev/4f774268e674
Status: ASSIGNED → RESOLVED
Last Resolved: 5 years ago
status-firefox17: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Keywords: sec-critical
Attachment #648486 - Flags: approval-mozilla-beta?
Attachment #648486 - Flags: approval-mozilla-beta+
Attachment #648486 - Flags: approval-mozilla-aurora?
Attachment #648486 - Flags: approval-mozilla-aurora+
Please land this before EOD tomorrow so it can go into Beta 4 and we can have some bake time before final release.
(Assignee)

Comment 10

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/bac4527ff910
https://hg.mozilla.org/releases/mozilla-beta/rev/0a2004271b21
status-firefox15: affected → fixed
status-firefox16: affected → fixed
Does this not affect ESR?
status-firefox-esr10: --- → ?
Whiteboard: [advisory-tracking+]
(Assignee)

Comment 12

5 years ago
(In reply to Al Billings [:abillings] from comment #11)
> Does this not affect ESR?

I don't think so, but Bobby would know better. Bobby?
Bob implies it is a regression from July.
(Reporter)

Comment 14

5 years ago
I don't test esr so can't say from experience whether this affects it or not. It would depend on if any of the responsible patches have landed there. If this is related to the Flash crash reporting then it is possible that esr is affected as well.
(In reply to Bill McCloskey (:billm) from comment #12)
> I don't think so, but Bobby would know better. Bobby?

This is a regression from bug 771202. I can't mark it because of circularity.
Whiteboard: [advisory-tracking+] → [advisory-tracking+] regression from bug 771202
If this is a regression frombug 771202, then it shouldn't affect ESR.
status-firefox-esr10: ? → unaffected
Keywords: verifyme
I'm not able to reproduce this with the 2012-07-30 Firefox 17.0a1 debug build on Ubuntu 12.04 64-bit with Flash 11.2. Can someone provide some assistance here with the verification, either by doing some testing or by providing me with some guidance so I can reproduce it myself? Priority is getting it verified against Firefox 15.

Thanks
Keywords: verifyme
Whiteboard: [advisory-tracking+] regression from bug 771202 → [advisory-tracking+][qa?] regression from bug 771202
(Reporter)

Comment 18

5 years ago
ashughes, do you have 32bit linux available?
(In reply to Bob Clary [:bc:] from comment #18)
> ashughes, do you have 32bit linux available?

I have an Ubuntu 11.10 32-bit VM -- will that work?
(Reporter)

Comment 20

5 years ago
Worth a try.
Thanks Bob. I was able to reproduce this with Firefox 17.0a1 2012-07-30, Ubuntu 11.10 32-bit, and Flash 11.2. I'll now test to verify the fix.
Verified fixed with:
 * 2012-08-24 Firefox 17.0a1
 * 2012-08-24 Firefox 16.0a2
 * 2012-08-24 Firefox 15.0
Status: RESOLVED → VERIFIED
status-firefox15: fixed → verified
status-firefox16: fixed → verified
status-firefox17: fixed → verified
QA Contact: anthony.s.hughes
Whiteboard: [advisory-tracking+][qa?] regression from bug 771202 → [advisory-tracking+] regression from bug 771202
Group: core-security
You need to log in before you can comment on or make changes to this bug.