1864246 - Hit MOZ_CRASH(Invalid object. Dead wrapper?) at js/src/vm/JSObject.h:649

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect, P1)

Description

[anbu]

Steps to reproduce:

Build options:

/bin/sh ../../gecko-dev/js/src/configure --enable-debug --disable-optimize --disable-shared-js --disable-tests

Test case:

this.evalStencil(this);

gc();

Actual results:

Error message:

Hit MOZ_CRASH(Invalid object. Dead wrapper?) at /media/Store/JS-engines/SpiderMonkey/gecko-dev/js/src/vm/JSObject.h:649

Stack backtrace

JSObject::maybeUnwrapAs<js::StencilObject>(JSObject * this) (gecko-dev/js/src/vm/JSObject.h:649)

EvalStencil(JSContext * cx, uint32_t argc, JS::Value * vp) (gecko-dev/js/src/builtin/TestingFunctions.cpp:7174)

CallJSNative(JSContext * cx, js::Native native, js::CallReason reason, const JS::CallArgs & args) (gecko-dev/js/src/vm/Interpreter.cpp:472)

js::InternalCallOrConstruct(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:566)

InternalCall(JSContext * cx, const js::AnyInvokeArgs & args, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:633)

js::CallFromStack(JSContext * cx, const JS::CallArgs & args, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:638)

js::Interpret(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:3053)

MaybeEnterInterpreterTrampoline(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:386)

js::RunScript(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:444)

js::ExecuteKernel(JSContext * cx, JS::HandleScript script, JS::HandleObject envChainArg, js::AbstractFramePtr evalInFrame, JS::MutableHandleValue result) (gecko-dev/js/src/vm/Interpreter.cpp:831)

js::Execute(JSContext * cx, JS::HandleScript script, JS::HandleObject envChain, JS::MutableHandleValue rval) (gecko-dev/js/src/vm/Interpreter.cpp:863)

ExecuteScript(JSContext * cx, JS::HandleObject envChain, JS::HandleScript script, JS::MutableHandleValue rval) (gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:494)

JS_ExecuteScript(JSContext * cx, JS::HandleScript scriptArg) (gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:518)

RunFile(JSContext * cx, const char * filename, FILE * file, CompileUtf8 compileMethod, bool compileOnly, bool fullParse) (gecko-dev/js/src/shell/js.cpp:1218)

Process(JSContext * cx, const char * filename, bool forceTTY, FileKind kind) (gecko-dev/js/src/shell/js.cpp:1798)

ProcessArgs(JSContext * cx, js::cli::OptionParser * op) (gecko-dev/js/src/shell/js.cpp:10873)

Shell(JSContext * cx, js::cli::OptionParser * op) (gecko-dev/js/src/shell/js.cpp:11135)

main(int argc, char ** argv) (gecko-dev/js/src/shell/js.cpp:11539)

Comment 1

[anbu]

This is a regression bug. SpiderMonkey of version commit:c9ada7 is not affected.

Comment 2

[Jan de Mooij [:jandem]]

Yes this is a regression from bug 1841118. It should probably use maybeUnwrapIf instead of maybeUnwrapAs. The "maybe" in the latter is a bit misleading.

Comment 3

[BugBot [:suhaib / :marco/ :calixte]]

Set release status flags based on info from the regressing bug 1841118

Comment 5

[Matthew Gaudet (he/him) [:mgaudet]]

Attachment: Bug 1864246 - Use correct conditional unwrapping r?jandem

Comment 6

[Matthew Gaudet (he/him) [:mgaudet]]

Definitely misleading! Oops. Patch up.

Comment 7

[Pulsebot]

Pushed by mgaudet@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6c43fa04fffd
Use correct conditional unwrapping r=jandem

Comment 8

[Cristian Tuns]

https://hg.mozilla.org/mozilla-central/rev/6c43fa04fffd