674441 - GCZeal trips "Assertion failure: script->ownerObject == owner"

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Jesse Ruderman]

Attachment: stack trace

Testcase:
  <script> fuzzPriv.setGCZeal(2); </script>
Where setGCZeal is implemented in a chrome-privileged js component as:
  Services.prefs.setIntPref("javascript.options.gczeal", zeal)

Triggers:
  Assertion failure: script->ownerObject == owner, at js/src/jsscript.cpp:323

Which was one of the assertions added in bug 673625.

Comment 1

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Thanks, Jesse. Sadly, this is a false positive. The script owner needs to be set before the script is exposed to the GC. In this case, it's happening too late. I'll get a patch up soon.

Comment 2

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Attachment: patch

The problem is that between attaching the script to the function and setting the script's owner, we could GC and trigger the ownership assertion. This patch just holds off attaching the script to the function until later so that a GC can't happen in the middle.

Comment 3

[Bill McCloskey [inactive unless it's an emergency] (:billm)]

Also, I checked to see if there are other places where setOwnerObject happens too late, and all the other ones look clean.

Comment 4

[David Mandelin [:dmandelin]]

Comment on attachment 548831 [details] [diff] [review]
patch

Review of attachment 548831 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsfun.cpp
@@ +1598,2 @@
>          return false;
> +    fun->u.i.script = script;

Please add a brief comment explaining why we need this.

Comment 5

[Marco Bonardo [:mak]]

http://hg.mozilla.org/mozilla-central/rev/75cd7345fb19