Closed Bug 758846 Opened 12 years ago Closed 12 years ago

"Assertion failure: p.found()" with gczeal and chrome-content interaction

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla16

People

(Reporter: jruderman, Assigned: billm)

Details

(Keywords: assertion, testcase, Whiteboard: [js:p1:fx16])

Attachments

(3 files)

testcase (requires extension)
205 bytes, text/html
Details
stack trace
17.75 KB, text/plain
Details
fix
3.51 KB, patch
luke
: review+
Details | Diff | Splinter Review 
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi (version 2012-05-25 or higher)

2. Load the testcase.

Result:

Assertion failure: p.found(), at js/src/jsproxy.cpp:1474
Attached file stack trace 
Assignee: general → wmccloskey

    
    

    
  
fwiw, I hit this on nightly winxp once at http://www.podnapisi.net/en/ppodnapisi/podnapis/i/1691083/showRelease/1/showYear/0/shortFormat/0/translateTitle/1 but it is not reproducible.
pseudo stack: proxy_TraceObject js::GCMarker::processMarkStackTop(js::SliceBudget&) js::GCMarker::drainMarkStack(js::SliceBudget&) NonIncrementalMark GCCycle

    
    

    
  

      
      
      
      

        Attached patch
          
          
        fixSplinter Review
      

    


  
The assertion is saying that every cross-compartment wrapper should be registered in the wrapper map. This invariant is temporarily violated when creating the wrapper. We can GC during the period when it's violated.

I don't think this is a problem. The object being wrapped should always be on the stack during the violation, so any GC at that time is guaranteed to scan the wrapped object. That's all we really care about, so I think we're safe.

This patch just keeps a count of how many invocations of JSCompartment::wrap are on the stack. If this number is non-zero, then we don't do the assertion.

        Attachment #633277 -
        Flags: review?(luke)

    
  

        Attachment #633277 -
        Flags: review?(luke) → review+
Whiteboard: [js:p1:fx16]

    
    

    
  
https://hg.mozilla.org/integration/mozilla-inbound/rev/57054d8b1582

Also, this is not sensitive.
Group: core-security
Target Milestone: --- → mozilla16

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/57054d8b1582
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: