Closed
Bug 779849
Opened 12 years ago
Closed 12 years ago
Flash Plugin related Assertion failure: false (compartment mismatched)
Categories
(Core Graveyard :: Plug-ins, defect)
Core Graveyard
Plug-ins
Tracking
(firefox15+ verified, firefox16+ verified, firefox17+ verified, firefox-esr10 unaffected)
VERIFIED
FIXED
mozilla17
People
(Reporter: bc, Assigned: billm)
References
()
Details
(Keywords: assertion, crash, sec-critical, Whiteboard: [advisory-tracking+] regression from bug 771202)
Crash Data
Attachments
(1 file)
769 bytes,
patch
|
bholley
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
1. http://www.blogs.com/topten/top-10-country-music-blogs/ This occurs on many many urls not just this one. This is my current top crasher in crash automation. 2. Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227 Initially on Nightly this was a ###!!! ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020 but after bug 773830 was fixed it settled down into the Assertion. It is just the assertion on Beta and Aurora. ABORT: attempt to initialize OOP crash reporter before in-process crashreporter!: 'gExceptionHandler != NULL', file ../../../toolkit/crashreporter/nsExceptionHandler.cpp, line 2020 then Assertion failure: false (compartment mismatched), at ../../../js/src/jscntxtinlines.h:227 Also crashed Nightly, Aurora (may need to reload) bp-a9cd5c2f-db62-4383-85c4-a08672120802 Firefox 17.0a1 Crash Report [@ js::types::TypeObject::addPropertyType ] bp-723b5531-d568-4856-9977-3ee742120802 Firefox 15.0a2 Crash Report [@ js::gc::PushMarkStack ] Found regression between 20120712015541-20120712174703 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=70d92a6ccdfa&tochange=6489be1890c0 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-12-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-13-mozilla-central-debug/firefox-16.0a1.en-US.debug-linux-i686.tar.bz2 Found regression between 20120715024321-20120716024822 Pushlog: http://hg.mozilla.org/releases/mozilla-aurora/pushloghtml?fromchange=50963e16d1dc&tochange=d7602223c982 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-15-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-16-mozilla-aurora-debug/firefox-15.0a2.en-US.debug-linux-i686.tar.bz2 (didn't see the ABORT here) Found regression between 20120718210721-20120719120951 Pushlog: http://hg.mozilla.org/releases/mozilla-beta/pushloghtml?fromchange=b2487714085b&tochange=ebfad1bf8749 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-19-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2 http://ftp.mozilla.org/pub/mozilla.org/firefox/nightly/2012/07/2012-07-20-mozilla-beta-debug/firefox-15.0.en-US.debug-linux-i686.tar.bz2 (didn't see ABORT here)
Updated•12 years ago
|
Component: IPC → Plug-ins
Reporter | ||
Comment 1•12 years ago
|
||
Forgot to mention most if not all of the assertions I've seen have been just after loading Flash. This is not specific to 11.3 as it occurs on Linux with 11.2 as well.
Summary: Plugin related Assertion failure: false (compartment mismatched) → Flash Plugin related Assertion failure: false (compartment mismatched)
Assignee | ||
Comment 2•12 years ago
|
||
I don't know this code at all--even who to ask for review. But the fix looks relatively straightforward. There are two paths in GetNewOrUsed that return an existing object. One of them calls JS_WrapObject and the other one doesn't. On the page that crashes, we take the non-JS_WrapObject path and end up getting something from the wrong compartment.
Assignee: nobody → wmccloskey
Status: NEW → ASSIGNED
Attachment #648486 -
Flags: review?(bobbyholley+bmo)
Attachment #648486 -
Flags: review?(benjamin)
Comment 4•12 years ago
|
||
Comment on attachment 648486 [details] [diff] [review] patch? Yes! You rock, bill.
Attachment #648486 -
Flags: review?(bobbyholley+bmo) → review+
Comment 5•12 years ago
|
||
This fixes the crash in bug 774052. We should get this on beta ASAP.
Updated•12 years ago
|
Assignee | ||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4f774268e674 It sounds like Bobby's review is enough here.
Assignee | ||
Comment 7•12 years ago
|
||
Comment on attachment 648486 [details] [diff] [review] patch? [Approval Request Comment] Bug caused by (feature/regressing bug #): CPG, I assume User impact if declined: Crashes, exploits. Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Seems low, but I don't know this code well. String or UUID changes made by this patch: None.
Attachment #648486 -
Flags: review?(benjamin)
Attachment #648486 -
Flags: approval-mozilla-beta?
Attachment #648486 -
Flags: approval-mozilla-aurora?
Comment 8•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4f774268e674
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Keywords: sec-critical
Updated•12 years ago
|
Attachment #648486 -
Flags: approval-mozilla-beta?
Attachment #648486 -
Flags: approval-mozilla-beta+
Attachment #648486 -
Flags: approval-mozilla-aurora?
Attachment #648486 -
Flags: approval-mozilla-aurora+
Comment 9•12 years ago
|
||
Please land this before EOD tomorrow so it can go into Beta 4 and we can have some bake time before final release.
Assignee | ||
Comment 10•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/bac4527ff910 https://hg.mozilla.org/releases/mozilla-beta/rev/0a2004271b21
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
Assignee | ||
Comment 12•12 years ago
|
||
(In reply to Al Billings [:abillings] from comment #11) > Does this not affect ESR? I don't think so, but Bobby would know better. Bobby?
Comment 13•12 years ago
|
||
Bob implies it is a regression from July.
Reporter | ||
Comment 14•12 years ago
|
||
I don't test esr so can't say from experience whether this affects it or not. It would depend on if any of the responsible patches have landed there. If this is related to the Flash crash reporting then it is possible that esr is affected as well.
Comment 15•12 years ago
|
||
(In reply to Bill McCloskey (:billm) from comment #12) > I don't think so, but Bobby would know better. Bobby? This is a regression from bug 771202. I can't mark it because of circularity.
Updated•12 years ago
|
Whiteboard: [advisory-tracking+] → [advisory-tracking+] regression from bug 771202
Comment 16•12 years ago
|
||
If this is a regression frombug 771202, then it shouldn't affect ESR.
Comment 17•12 years ago
|
||
I'm not able to reproduce this with the 2012-07-30 Firefox 17.0a1 debug build on Ubuntu 12.04 64-bit with Flash 11.2. Can someone provide some assistance here with the verification, either by doing some testing or by providing me with some guidance so I can reproduce it myself? Priority is getting it verified against Firefox 15. Thanks
Keywords: verifyme
Whiteboard: [advisory-tracking+] regression from bug 771202 → [advisory-tracking+][qa?] regression from bug 771202
Reporter | ||
Comment 18•12 years ago
|
||
ashughes, do you have 32bit linux available?
Comment 19•12 years ago
|
||
(In reply to Bob Clary [:bc:] from comment #18) > ashughes, do you have 32bit linux available? I have an Ubuntu 11.10 32-bit VM -- will that work?
Reporter | ||
Comment 20•12 years ago
|
||
Worth a try.
Comment 21•12 years ago
|
||
Thanks Bob. I was able to reproduce this with Firefox 17.0a1 2012-07-30, Ubuntu 11.10 32-bit, and Flash 11.2. I'll now test to verify the fix.
Comment 22•12 years ago
|
||
Verified fixed with: * 2012-08-24 Firefox 17.0a1 * 2012-08-24 Firefox 16.0a2 * 2012-08-24 Firefox 15.0
Status: RESOLVED → VERIFIED
QA Contact: anthony.s.hughes
Whiteboard: [advisory-tracking+][qa?] regression from bug 771202 → [advisory-tracking+] regression from bug 771202
Updated•12 years ago
|
Group: core-security
Updated•2 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•