Closed
Bug 674441
Opened 13 years ago
Closed 13 years ago
GCZeal trips "Assertion failure: script->ownerObject == owner"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla8
People
(Reporter: jruderman, Assigned: billm)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [js-triage-done][inbound])
Attachments
(2 files)
17.97 KB,
text/plain
|
Details | |
966 bytes,
patch
|
dmandelin
:
review+
|
Details | Diff | Splinter Review |
Testcase: <script> fuzzPriv.setGCZeal(2); </script> Where setGCZeal is implemented in a chrome-privileged js component as: Services.prefs.setIntPref("javascript.options.gczeal", zeal) Triggers: Assertion failure: script->ownerObject == owner, at js/src/jsscript.cpp:323 Which was one of the assertions added in bug 673625.
Updated•13 years ago
|
Whiteboard: js-triage-needed
Assignee | ||
Comment 1•13 years ago
|
||
Thanks, Jesse. Sadly, this is a false positive. The script owner needs to be set before the script is exposed to the GC. In this case, it's happening too late. I'll get a patch up soon.
Whiteboard: js-triage-needed → js-triage-done
Assignee | ||
Comment 2•13 years ago
|
||
The problem is that between attaching the script to the function and setting the script's owner, we could GC and trigger the ownership assertion. This patch just holds off attaching the script to the function until later so that a GC can't happen in the middle.
Assignee | ||
Comment 3•13 years ago
|
||
Also, I checked to see if there are other places where setOwnerObject happens too late, and all the other ones look clean.
Comment 4•13 years ago
|
||
Comment on attachment 548831 [details] [diff] [review] patch Review of attachment 548831 [details] [diff] [review]: ----------------------------------------------------------------- ::: js/src/jsfun.cpp @@ +1598,2 @@ > return false; > + fun->u.i.script = script; Please add a brief comment explaining why we need this.
Attachment #548831 -
Flags: review?(dmandelin) → review+
Updated•13 years ago
|
Group: core-security
Assignee | ||
Updated•13 years ago
|
Whiteboard: js-triage-done → [js-triage-done][inbound]
Comment 5•13 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/75cd7345fb19
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in
before you can comment on or make changes to this bug.
Description
•