Closed
Bug 422009
Opened 16 years ago
Closed 16 years ago
[FIX]"Assertion failure: !cx->throwing" with XBL constructor that throws and syntax error in event handler
Categories
(Core :: DOM: Events, defect)
Tracking
()
RESOLVED
FIXED
People
(Reporter: jruderman, Assigned: bzbarsky)
References
Details
(Keywords: assertion, testcase)
Attachments
(2 files)
|
662 bytes,
application/xhtml+xml
|
Details | |
|
6.71 KB,
patch
|
jst
:
review+
jst
:
superreview+
shaver
:
approval1.9+
|
Details | Diff | Splinter Review |
Loading the testcase triggers: Assertion failure: !cx->throwing, at /Users/jruderman/trunk/mozilla/js/src/jsinterp.c:6275 I think this bug can also trigger: ###!!! ASSERTION: Shouldn't get here when an exception is pending!: '!::JS_IsExceptionPending(cx)', file /Users/jruderman/trunk/mozilla/content/xbl/src/nsXBLProtoImplField.cpp, line 124
|
Assignee | |
Updated•16 years ago
|
Flags: blocking1.9?
|
||
Comment 1•16 years ago
|
||
bz, didn't you just add this assertion?
|
|
Assignee | |
Comment 2•16 years ago
|
||
I added the second one. I didn't add the first one...
|
|
Assignee | |
Comment 3•16 years ago
|
||
We go to compile the event handler. We call JS_CompileUCFunctionForPrincipals. This sets a pending exception (shouldn't it also report it? It's a compile, not runtime, error). Then we return an error to nsEventListenerManager::AddScriptEventListener, which converts NS_ERROR_ILLEGAL_VALUE into NS_SUCCESS_LOSS_OF_UNSIGNIFICANT_DATA (with an NS_WARNING about a likely syntax error, etc). Then we unwind from the SetAttr() call with a success value, back into the JS code that called setAttribute(). That would be the onload handler calling the boom() function. Then later, off an event, we run constructors, and assert at the JS_CallFunctionValue call from the constructor (well, once it gets down into js_Interpret). I'm guessing that nsEventListenerManager::AddScriptEventListener should report the exception, right? And perhaps set aside any existing exception if there is one before trying to compile the listener?
|
||
Comment 4•16 years ago
|
||
SpiderMonkey pre-dates ECMA-262 Edition 3. It used to have only errors, not catchable exceptions. Errors were reported promptly. When exceptions were added, errors became thrown exceptions, catchable by any active JS on the stack. But if an exception reached the oldest active API call as it was about to return, for backward compatibility it was then reported. (OOM is always a promptly reported error, never an exception.) Sounds like there's a setAttr active when the failing JS_Compile* API call is made, so if you don't want that exception propagating to setAttr's caller, then yes: JS_ReportPendingException(cx). /be
|
|
Assignee | |
Comment 5•16 years ago
|
||
Yeah, I don't think we want this exception propagating to the setAttribute() caller.
|
|
||
Comment 6•16 years ago
|
||
Correct. And I don't think we need to worry about setting aside pending exceptions, we shouldn't ever get to nsEventListenerManager::AddScriptEventListener() with a pending exception (we could assert that).
This just seems like "XBL sucks", not something that can cause security issues or break existing stuff (since it's not a regression). So not blocking.
Flags: wanted-next+
Flags: blocking1.9?
Flags: blocking1.9-
|
|
Assignee | |
Comment 8•16 years ago
|
||
You mean "DOM events impl sucks", right? ;)
|
|
Assignee | |
Updated•16 years ago
|
Component: XBL → DOM: Events
QA Contact: xbl → events
|
|
Assignee | |
Updated•16 years ago
|
Summary: "Assertion failure: !cx->throwing" with XBL constructor that throws and syntax error in event handler → [FIX]"Assertion failure: !cx->throwing" with XBL constructor that throws and syntax error in event handler
|
|
Assignee | |
Comment 9•16 years ago
|
||
Assignee: nobody → bzbarsky
Status: NEW → ASSIGNED
Attachment #310421 -
Flags: superreview?(jst)
Attachment #310421 -
Flags: review?(jst)
|
|
||
Updated•16 years ago
|
Attachment #310421 -
Flags: superreview?(jst)
Attachment #310421 -
Flags: superreview+
Attachment #310421 -
Flags: review?(jst)
Attachment #310421 -
Flags: review+
|
|
Assignee | |
Comment 10•16 years ago
|
||
Comment on attachment 310421 [details] [diff] [review] Fix This is a pretty straightforward change to not leave a pending exception just hanging out on the JSContext.
Attachment #310421 -
Flags: approval1.9?
Comment on attachment 310421 [details] [diff] [review] Fix a=shaver
Attachment #310421 -
Flags: approval1.9? → approval1.9+
|
|
Assignee | |
Comment 12•16 years ago
|
||
Checked in, with the crashtest.
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•