441361 - Split objects in the shell don't work

Status: RESOLVED FIXED

(Core :: JavaScript Engine, defect)

Description

[Blake Kaplan (:mrbkap) (inactive)]

Currently, we assert: Assertion failure: !JS_GetParent(cx, obj), at js.cpp:2339.

This is due to bug 418515 -- before that bug, calling JS_NewObject with a null parent and an object that was not going to share its scope with its prototype would return an object with a null parent. This is no longer the case.

Fixing that is easy, but then we crash:
Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000000c
0x0006419f in js_Execute

The reason was missing error checking in ProcessArgs. That fixes the crash, but now we cannot initialize the inner object because the outer object has no concept of "freezing" and happily returns NULL for its inner when asked.

I'll finish patching tomorrow.

Comment 1

[Blake Kaplan (:mrbkap) (inactive)]

Attachment: Fix the rest of the issues I found

This fixes the innerObject thing.

I also noticed (when playing with this.__count__ in the shell) that the class was missing JSCLASS_NEW_ENUMERATE, which caused exciting memory corruption and crashing on shutdown.

Comment 2

[Blake Kaplan (:mrbkap) (inactive)]

Fix pushed as changeset 44c589bd2a7b.

Comment 3

[Mike Schroepfer]

Do we need this on branch Blake?

Comment 4

[Brian Crowder]

This is a helpful debug utility in the js shell, and doesn't affect the browser at all.  Totally NPOTB, so probably not necessary for branch.

Comment 5

[Bob Clary [:bc] (inactive)]

mrbkap: a little help on how to test?

Comment 6

[Blake Kaplan (:mrbkap) (inactive)]

Bob, if the testsuite can pass -z to the shell, then just starting 'js -z' will verify this bug. It might be interesting to run the whole testsuite against -z, but keep in mind that there very well might be bugs in -z, not in the engine.

Comment 7

[Bob Clary [:bc] (inactive)]

Ok. I can easily add -z. I'll run the full suite later today and run the results by you.