Closed Bug 825380 Opened 7 years ago Closed 7 years ago

With Ghostery, closing a print-preview of a bugzilla bug-page triggers crash in js::CompartmentChecker::fail

Categories

(Core :: JavaScript Engine, defect, critical)

All
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 821842

People

(Reporter: dholbert, Assigned: mccr8)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is 
report bp-b3173be6-e90e-4956-b94c-3953c2121229 .
============================================================= 

STR:
 1. Install Ghostery from https://addons.mozilla.org/en-us/firefox/addon/ghostery/
   (Restart Firefox to complete the install)
 2. Click "Skip wizard" on the ghostery config page
 3. Log in to https://www.bugzilla.mozilla.org/
 4. Visit e.g. bug 700000
 4. File | Print-preview
   (on Linux or Windows; the Mac print-to-PDF preview probably doesn't trigger this)
 5. Click "Close" button (or press Alt+C) to close print-preview

ACTUAL RESULTS: Crash @ js::CompartmentChecker::fail

This reproduces for me 100% of the time, in linux nightly, w/ fresh profile & the STR applied.

Crash reports:
bp-b3173be6-e90e-4956-b94c-3953c2121229
bp-7b2ce47c-1723-4d5b-9268-544ec2121229
bp-890cd31b-5e77-44be-86ce-13fdc2121229
bp-abc5f154-87fb-4e49-9a73-ae59b2121229
bp-45eb5760-c4b1-4c7c-8b87-54d1f2121229
bp-5edd4e74-481d-4e92-92e8-172cf2121229
bp-2a4fbe68-7a8a-4ecf-be98-0947a2121229

NOTE: Bug 821733 is filed to cover this crash-signature, but it has no STR and it seems possible bugs that crash with this same signature -- so I'm filing this as a helper-bug, blocking bug 821733. 
This
Build ID: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20121228 Firefox/20.0
{
Last good nightly: 2012-11-27
First bad nightly: 2012-11-28

Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=597915b66059&tochange=3c3a8eed0578
}

There are a number of compartment-related changes in that range. Bug 790338's commits look most likely to be related, at first glance.
Sounds similar to the other print preview bug Olli was looking at.
Group: core-security
Actually, a debug build from the first cset in that range -- 597915b66059 -- aborts (with a compartment-mismatch assertion message) when I _open_ print-preview of that bugzilla page. So there's something that broke before the range in comment 2, but it's only visible in debug builds.
That sounds a little similar to bug 817342, which involves a different extension, Redirector.
The stack here looks a lot like the one in bug 821842.
Depends on: 821842
I filed bug 825401 on the debug-build abort -- it's got a much earlier regression range than either this bug or bug 821842 (it regressed back in May).

This bug here, though, is very likely related to bug 821842, per comment 6 -- their regression ranges match.  (technically bug 821842's very-narrow range is a subset of this bug's range, since I only narrowed it to a 1-day window in comment 2).
It's all the same bug.  All that changed is that recently we turned on fatal compartment mismatch checks in opt builds.
Assignee: general → continuation
This one, unlike the debug one, is fixed by my patch in bug 821842. I have no idea why a debug and non-debug build hit different release-mode asserts.
Marking this as a dupe of bug 821842. Thanks for the test case, it was very useful.
No longer blocks: compartment-mismatch
Status: NEW → RESOLVED
Closed: 7 years ago
No longer depends on: 821842
Resolution: --- → DUPLICATE
Duplicate of bug: 821842
Group: core-security
You need to log in before you can comment on or make changes to this bug.