Closed Bug 779849 Opened 7 years ago Closed 7 years ago
Flash Plugin related Assertion failure: false (compartment mismatched)
1. http://www.blogs.com/topten/top-10-country-music-blogs/ This occurs on many many urls not just this one. This is my current top crasher in crash automation. 2. Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227 Initially on Nightly this was a ###!!! ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020 but after bug 773830 was fixed it settled down into the Assertion. It is just the assertion on Beta and Aurora. ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020 then Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227 Also crashed Nightly, Aurora (may need to reload) bp-a9cd5c2f-db62-4383-85c4-a08672120802 Firefox 17.0a1 Crash Report [@ js::types::TypeObject::addPropertyType ] bp-723b5531-d568-4856-9977-3ee742120802 Firefox 15.0a2 Crash Report [@ js::gc::PushMarkStack ] Found regression between 20120712015541-20120712174703 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=70d92a6ccdfa&tochange=6489be1890c0 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-12-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-13-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2 Found regression between 20120715024321-20120716024822 Pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=50963e16d1dc&tochange=d7602223c982 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-15-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-16-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2 (didn't see the ABORT here) Found regression between 20120718210721-20120719120951 Pushlog: http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=b2487714085b&tochange=ebfad1bf8749 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-19-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-20-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2 (didn't see ABORT here)
Component: IPC → Plug-ins
Forgot to mention most if not all of the assertions I've seen have been just after loading Flash. This is not specific to 11.3 as it occurs on Linux with 11.2 as well.
Summary: Plugin related Assertion failure: false (compartment mismatched) → Flash Plugin related Assertion failure: false (compartment mismatched)
I don't know this code at all--even who to ask for review. But the fix looks relatively straightforward. There are two paths in GetNewOrUsed that return an existing object. One of them calls JS_WrapObject and the other one doesn't. On the page that crashes, we take the non-JS_WrapObject path and end up getting something from the wrong compartment.
Also, this should probably be closed.
Comment on attachment 648486 [details] [diff] [review] patch? Yes! You rock, bill.
Attachment #648486 - Flags: review?(bobbyholley+bmo) → review+
This fixes the crash in bug 774052. We should get this on beta ASAP.
https://hg.mozilla.org/integration/mozilla-inbound/rev/4f774268e674 It sounds like Bobby's review is enough here.
Comment on attachment 648486 [details] [diff] [review] patch? [Approval Request Comment] Bug caused by (feature/regressing bug #): CPG, I assume User impact if declined: Crashes, exploits. Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Seems low, but I don't know this code well. String or UUID changes made by this patch: None.
Please land this before EOD tomorrow so it can go into Beta 4 and we can have some bake time before final release.
(In reply to Al Billings [:abillings] from comment #11) > Does this not affect ESR? I don't think so, but Bobby would know better. Bobby?
Bob implies it is a regression from July.
I don't test esr so can't say from experience whether this affects it or not. It would depend on if any of the responsible patches have landed there. If this is related to the Flash crash reporting then it is possible that esr is affected as well.
(In reply to Bill McCloskey (:billm) from comment #12) > I don't think so, but Bobby would know better. Bobby? This is a regression from bug 771202. I can't mark it because of circularity.
Whiteboard: [advisory-tracking+] → [advisory-tracking+] regression from bug 771202
If this is a regression frombug 771202, then it shouldn't affect ESR.
I'm not able to reproduce this with the 2012-07-30 Firefox 17.0a1 debug build on Ubuntu 12.04 64-bit with Flash 11.2. Can someone provide some assistance here with the verification, either by doing some testing or by providing me with some guidance so I can reproduce it myself? Priority is getting it verified against Firefox 15. Thanks
Whiteboard: [advisory-tracking+] regression from bug 771202 → [advisory-tracking+][qa?] regression from bug 771202
ashughes, do you have 32bit linux available?
(In reply to Bob Clary [:bc:] from comment #18) > ashughes, do you have 32bit linux available? I have an Ubuntu 11.10 32-bit VM -- will that work?
Worth a try.
Thanks Bob. I was able to reproduce this with Firefox 17.0a1 2012-07-30, Ubuntu 11.10 32-bit, and Flash 11.2. I'll now test to verify the fix.
Verified fixed with: * 2012-08-24 Firefox 17.0a1 * 2012-08-24 Firefox 16.0a2 * 2012-08-24 Firefox 15.0
You need to log in before you can comment on or make changes to this bug.