Status

()

Core
JavaScript: GC
P3
normal
27 days ago
14 days ago

People

(Reporter: sfink, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

27 days ago
In attempting to reproduce a nursery string failure, I instead caught a gray assertion failure. But I'm not sure what to do with it; it seems benign.

It's in nsGlobalWindowOuter::SetNewDocument where we are transplanting wrappers. It specifically maintains the color [1], but then while transplanting enters the compartment of the original object [2]. If that original object was gray, that will trigger an assertion failure.

Note that this is a HandleObject at this point, which means that [1] is putting a gray object into a Rooted. Which actually kind of seems like the right thing here; we probably want to keep it gray if it's gray, but we also don't want it getting cycle collected while we're transplanting.

Probably the answer here is obvious to Jon, so I'll defer to him.

[1] https://searchfox.org/mozilla-central/source/dom/base/nsGlobalWindowOuter.cpp#1905

[2] https://searchfox.org/mozilla-central/source/js/src/jsapi.cpp#935
(Reporter)

Comment 1

27 days ago
Note that my command that triggered this was:

JS_GC_ZEAL=2,300 DISPLAY=localhost:3 rr record --chaos ./mach firefox-ui-functional --headless

(localhost:3 is a vncserver display, though it probably isn't necessary since I'm running headless anyway.)
We have AutoCompartmentUnchecked which is used elsewhere when remapping wrappers.  This setup does sound like it's OK so we could use that to enter the compartment instead.

Having said that, the fact that the assert doesn't happen during testing indicates that it's pretty rare for obj to be gray here.  We could just expose it anyway and that would be safe.
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.