Closed Bug 1322539 Opened 8 years ago Closed 8 years ago

Sort our the gray invariant situation with Xrays

Categories

(Core :: XPConnect, defect)

Product:
Core
Component:
XPConnect
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla55
Tracking Flags:
Tracking Status
firefox52 --- wontfix
firefox53 --- wontfix
firefox54 --- wontfix
firefox55 --- fixed

People

(Reporter: bzbarsky, Assigned: jonco)

References

Details

Attachments

(1 file)

bug1322539-expose-xray-target
1.25 KB, patch
sfink
: review+
Details | Diff | Splinter Review
I just had a test run fail like so: Assertion failure: !JS::ObjectIsMarkedGray(target), at /home/worker/workspace/build/src/js/src/jsapi.cpp:725 with a stack like this: 0 libxul.so!JSAutoCompartment::JSAutoCompartment [jsapi.cpp:3c4efe4d91d0 : 725 + 0x0] 1 libxul.so!xpc::XrayTraits::getExpandoObjectInternal [XrayWrapper.cpp:3c4efe4d91d0 : 1076 + 0xf] 2 libxul.so!xpc::XrayTraits::resolveOwnProperty [XrayWrapper.cpp:3c4efe4d91d0 : 1452 + 0x5] 3 libxul.so!xpc::DOMXrayTraits::resolveOwnProperty [XrayWrapper.cpp:3c4efe4d91d0 : 1627 + 0x6] 4 libxul.so!xpc::XrayWrapper<js::CrossCompartmentWrapper, xpc::DOMXrayTraits>::getOwnPropertyDescriptor [XrayWrapper.cpp:3c4efe4d91d0 : 2040 + 0x22] The problem, of course, is that XrayTraits::resolveOwnProperty does this: RootedObject target(cx, getTargetObject(wrapper)); if (!getExpandoObject(cx, target, wrapper, &expando)) where getExpandoObject then passes through "target" to getExpandoObjectInternal, which does: JSAutoCompartment ac(cx, target); what getTargetObject does is: return js::UncheckedUnwrap(wrapper, /* stopAtWindowProxy = */ false); OK, so as far as I can tell we could come into this code with "wrapper" white and "target" gray, if we have just started a compartment GC in the compartment of "wrapper". And then this assertion failure would happen, right? Note that we had a similar thing going on with Wrapper::wrappedObject and we made it always expose to active JS in bug 1298773, right? Isn't this situation basically the same?
Flags: needinfo?(jcoppeard)
Assignee: nobody → jcoppeard
Blocks: 1317672
This signature appears to be hitting a lot on Fx52 since the uplift to Beta. https://treeherder.mozilla.org/logviewer.html#?job_id=71802784&repo=mozilla-beta
status-firefox52: --- → affected
status-firefox54: --- → affected
Status update: I'm working on these gray marking assertion failures but don't have a fix yet. Please see the bugs I've filed under bug 1317672.
I experimented with making js::UncheckedUnwrap also call ExposeObjectToActiveJS, but it turns out that's called internally in a bunch of places where we can't do that (e.g. during GC). Rather than add another variant of unwrap, just add the expose call at this site.
Flags: needinfo?(jcoppeard)
Attachment #8852084 - Flags: review?(sphink)
Attachment #8852084 - Flags: review?(sphink) → review+
Pushed by jcoppeard@mozilla.com: https://hg.mozilla.org/integration/mozilla-inbound/rev/6bea50011ab6 Call ExposeObjectToActiveJS on the targets of xray wrappers r=sfink
https://hg.mozilla.org/mozilla-central/rev/6bea50011ab6
Status: NEW → RESOLVED
Closed: 8 years ago
status-firefox55: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla55
Mark 54 won't fix as this is late for Beta54.
status-firefox54: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: