Closed Bug 825380 Opened 12 years ago Closed 12 years ago

With Ghostery, closing a print-preview of a bugzilla bug-page triggers crash in js::CompartmentChecker::fail

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
All
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 821842

People

(Reporter: dholbert, Assigned: mccr8)

Details

(Keywords: crash)

Crash Data

This bug was filed from the Socorro interface and is report bp-b3173be6-e90e-4956-b94c-3953c2121229 . ============================================================= STR: 1. Install Ghostery from https://addons.mozilla.org/en-us/firefox/addon/ghostery/ (Restart Firefox to complete the install) 2. Click "Skip wizard" on the ghostery config page 3. Log in to https://www.bugzilla.mozilla.org/ 4. Visit e.g. bug 700000 4. File | Print-preview (on Linux or Windows; the Mac print-to-PDF preview probably doesn't trigger this) 5. Click "Close" button (or press Alt+C) to close print-preview ACTUAL RESULTS: Crash @ js::CompartmentChecker::fail This reproduces for me 100% of the time, in linux nightly, w/ fresh profile & the STR applied. Crash reports: bp-b3173be6-e90e-4956-b94c-3953c2121229 bp-7b2ce47c-1723-4d5b-9268-544ec2121229 bp-890cd31b-5e77-44be-86ce-13fdc2121229 bp-abc5f154-87fb-4e49-9a73-ae59b2121229 bp-45eb5760-c4b1-4c7c-8b87-54d1f2121229 bp-5edd4e74-481d-4e92-92e8-172cf2121229 bp-2a4fbe68-7a8a-4ecf-be98-0947a2121229 NOTE: Bug 821733 is filed to cover this crash-signature, but it has no STR and it seems possible bugs that crash with this same signature -- so I'm filing this as a helper-bug, blocking bug 821733. This
Build ID: Mozilla/5.0 (X11; Linux x86_64; rv:20.0) Gecko/20121228 Firefox/20.0
{ Last good nightly: 2012-11-27 First bad nightly: 2012-11-28 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=597915b66059&tochange=3c3a8eed0578 } There are a number of compartment-related changes in that range. Bug 790338's commits look most likely to be related, at first glance.
Sounds similar to the other print preview bug Olli was looking at.
Group: core-security
Actually, a debug build from the first cset in that range -- 597915b66059 -- aborts (with a compartment-mismatch assertion message) when I _open_ print-preview of that bugzilla page. So there's something that broke before the range in comment 2, but it's only visible in debug builds.
That sounds a little similar to bug 817342, which involves a different extension, Redirector.
The stack here looks a lot like the one in bug 821842.
Depends on: 821842
I filed bug 825401 on the debug-build abort -- it's got a much earlier regression range than either this bug or bug 821842 (it regressed back in May). This bug here, though, is very likely related to bug 821842, per comment 6 -- their regression ranges match. (technically bug 821842's very-narrow range is a subset of this bug's range, since I only narrowed it to a 1-day window in comment 2).
It's all the same bug. All that changed is that recently we turned on fatal compartment mismatch checks in opt builds.
Assignee: general → continuation
This one, unlike the debug one, is fixed by my patch in bug 821842. I have no idea why a debug and non-debug build hit different release-mode asserts.
Marking this as a dupe of bug 821842. Thanks for the test case, it was very useful.
No longer blocks: compartment-mismatch
Status: NEW → RESOLVED
Closed: 12 years ago
No longer depends on: 821842
Resolution: --- → DUPLICATE
Group: core-security
You need to log in before you can comment on or make changes to this bug.