Compartment mismatch in mozilla::dom::URLBinding::revokeObjectURL

RESOLVED DUPLICATE of bug 821760

Status

()

Core
DOM
RESOLVED DUPLICATE of bug 821760
5 years ago
3 years ago

People

(Reporter: mccr8, Unassigned)

Tracking

(Blocks: 1 bug)

unspecified
Points:
---

Firefox Tracking Flags

(firefox18 unaffected, firefox19 affected, firefox20 affected, firefox21 affected)

Details

(Reporter)

Description

5 years ago
I see three crash stacks like this:

0 js::CompartmentChecker::fail 	js/src/jscntxtinlines.h:204
1 JS_GetGlobalForObject 	js/src/jsapi.cpp:2233
2 mozilla::dom::URLBinding::revokeObjectURL 	obj-firefox/dom/bindings/URLBinding.cpp:268
3 js::InvokeKernel 	js/src/jsinterp.cpp:389
4 js::Interpret 	js/src/jsinterp.cpp:2348
5 js::RunScript 	

I'm not sure exactly what is calling JS_GetGlobalForObject, as the line numbers don't seem to match what I have locally.

https://crash-stats.mozilla.com/report/index/896e519b-6b03-424b-be5a-156902130107
https://crash-stats.mozilla.com/report/index/7a896715-fdf0-452a-8682-a95362130102
https://crash-stats.mozilla.com/report/index/bdb83485-e593-44bb-9577-555762130102

URL was converted to the new DOM bindings in bug 792675, which is in 19. Speculatively marking 19 and later as affected.
The build ID for those three crashes is "20121214030827".

Bug 821760 landed on m-c on 2012-12-15.  So as far as I can tell, this is a duplicate of that bug.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 821760
Group: core-security
You need to log in before you can comment on or make changes to this bug.