Last Comment Bug 779849 - Flash Plugin related Assertion failure: false (compartment mismatched)
: Flash Plugin related Assertion failure: false (compartment mismatched)
Status: VERIFIED FIXED
[advisory-tracking+] regression from ...
: assertion, crash, sec-critical
Product: Core
Classification: Components
Component: Plug-ins (show other bugs)
: Trunk
: All All
: -- critical (vote)
: mozilla17
Assigned To: Bill McCloskey (:billm)
: Anthony Hughes (:ashughes) [GFX][QA][Mentor]
Mentors:
http://www.blogs.com/topten/top-10-co...
Depends on:
Blocks: 532972 771251 774052
  Show dependency treegraph
 
Reported: 2012-08-02 07:44 PDT by Bob Clary [:bc:]
Modified: 2012-10-21 22:19 PDT (History)
12 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
verified
+
verified
+
verified
unaffected


Attachments
patch? (769 bytes, patch)
2012-08-02 14:16 PDT, Bill McCloskey (:billm)
bobbyholley: review+
lukasblakk+bugs: approval‑mozilla‑aurora+
lukasblakk+bugs: approval‑mozilla‑beta+
Details | Diff | Review

Description Bob Clary [:bc:] 2012-08-02 07:44:38 PDT
1. http://www.blogs.com/topten/top-10-country-music-blogs/
   This occurs on many many urls not just this one. This is my current top crasher in crash automation.

2. Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227

Initially on Nightly this was a
###!!! ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020

but after bug 773830 was fixed it settled down into the Assertion. It is just the assertion on Beta and Aurora.


ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020
then Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227

Also crashed Nightly, Aurora (may need to reload)

bp-a9cd5c2f-db62-4383-85c4-a08672120802
Firefox 17.0a1 Crash Report [@ js::types::TypeObject::addPropertyType ] 
bp-723b5531-d568-4856-9977-3ee742120802
Firefox 15.0a2 Crash Report [@ js::gc::PushMarkStack ] 

Found regression between 20120712015541-20120712174703
Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=70d92a6ccdfa&tochange=6489be1890c0
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-12-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-13-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2

Found regression between 20120715024321-20120716024822
Pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=50963e16d1dc&tochange=d7602223c982
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-15-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-16-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2
(didn't see the ABORT here)

Found regression between 20120718210721-20120719120951
Pushlog: http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=b2487714085b&tochange=ebfad1bf8749
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-19-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2
http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-20-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2
(didn't see ABORT here)
Comment 1 Bob Clary [:bc:] 2012-08-02 11:21:42 PDT
Forgot to mention most if not all of the assertions I've seen have been just after loading Flash. This is not specific to 11.3 as it occurs on Linux with 11.2 as well.
Comment 2 Bill McCloskey (:billm) 2012-08-02 14:16:20 PDT
Created attachment 648486 [details] [diff] [review]
patch?

I don't know this code at all--even who to ask for review. But the fix looks relatively straightforward. There are two paths in GetNewOrUsed that return an existing object. One of them calls JS_WrapObject and the other one doesn't. On the page that crashes, we take the non-JS_WrapObject path and end up getting something from the wrong compartment.
Comment 3 Bill McCloskey (:billm) 2012-08-02 14:16:47 PDT
Also, this should probably be closed.
Comment 4 Bobby Holley (busy) 2012-08-03 03:19:08 PDT
Comment on attachment 648486 [details] [diff] [review]
patch?

Yes! You rock, bill.
Comment 5 Bobby Holley (busy) 2012-08-03 03:20:02 PDT
This fixes the crash in bug 774052. We should get this on beta ASAP.
Comment 6 Bill McCloskey (:billm) 2012-08-03 12:43:50 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/4f774268e674

It sounds like Bobby's review is enough here.
Comment 7 Bill McCloskey (:billm) 2012-08-03 12:45:02 PDT
Comment on attachment 648486 [details] [diff] [review]
patch?

[Approval Request Comment]
Bug caused by (feature/regressing bug #): CPG, I assume
User impact if declined: Crashes, exploits.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Seems low, but I don't know this code well.
String or UUID changes made by this patch: None.
Comment 8 Ed Morley [:emorley] 2012-08-04 11:26:16 PDT
https://hg.mozilla.org/mozilla-central/rev/4f774268e674
Comment 9 Lukas Blakk [:lsblakk] use ?needinfo 2012-08-06 16:16:18 PDT
Please land this before EOD tomorrow so it can go into Beta 4 and we can have some bake time before final release.
Comment 11 Al Billings [:abillings] 2012-08-07 17:24:23 PDT
Does this not affect ESR?
Comment 12 Bill McCloskey (:billm) 2012-08-07 17:27:12 PDT
(In reply to Al Billings [:abillings] from comment #11)
> Does this not affect ESR?

I don't think so, but Bobby would know better. Bobby?
Comment 13 Al Billings [:abillings] 2012-08-07 17:37:58 PDT
Bob implies it is a regression from July.
Comment 14 Bob Clary [:bc:] 2012-08-08 06:17:47 PDT
I don't test esr so can't say from experience whether this affects it or not. It would depend on if any of the responsible patches have landed there. If this is related to the Flash crash reporting then it is possible that esr is affected as well.
Comment 15 Bobby Holley (busy) 2012-08-08 11:18:55 PDT
(In reply to Bill McCloskey (:billm) from comment #12)
> I don't think so, but Bobby would know better. Bobby?

This is a regression from bug 771202. I can't mark it because of circularity.
Comment 16 Al Billings [:abillings] 2012-08-08 15:06:17 PDT
If this is a regression frombug 771202, then it shouldn't affect ESR.
Comment 17 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-24 12:46:02 PDT
I'm not able to reproduce this with the 2012-07-30 Firefox 17.0a1 debug build on Ubuntu 12.04 64-bit with Flash 11.2. Can someone provide some assistance here with the verification, either by doing some testing or by providing me with some guidance so I can reproduce it myself? Priority is getting it verified against Firefox 15.

Thanks
Comment 18 Bob Clary [:bc:] 2012-08-24 13:03:44 PDT
ashughes, do you have 32bit linux available?
Comment 19 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-24 13:07:51 PDT
(In reply to Bob Clary [:bc:] from comment #18)
> ashughes, do you have 32bit linux available?

I have an Ubuntu 11.10 32-bit VM -- will that work?
Comment 20 Bob Clary [:bc:] 2012-08-24 13:17:37 PDT
Worth a try.
Comment 21 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-24 14:01:32 PDT
Thanks Bob. I was able to reproduce this with Firefox 17.0a1 2012-07-30, Ubuntu 11.10 32-bit, and Flash 11.2. I'll now test to verify the fix.
Comment 22 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-08-24 14:11:02 PDT
Verified fixed with:
 * 2012-08-24 Firefox 17.0a1
 * 2012-08-24 Firefox 16.0a2
 * 2012-08-24 Firefox 15.0

Note You need to log in before you can comment on or make changes to this bug.