"Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT" with defineProperty on window (XOW?)

RESOLVED DUPLICATE of bug 561936

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 561936
8 years ago
5 years ago

People

(Reporter: Jesse Ruderman, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, {crash, testcase})

Trunk
x86
Mac OS X
crash, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:dupe 561936][critsmash:resolved])

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
Created attachment 440980 [details]
testcase (crashes Firefox when loaded or soon after)

Debug:
Assertion failure: ((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT, at /Users/jruderman/central/js/src/jsapi.h:204

Opt:
Crash during GC.
#1  0x00007ffff5255dd6 in JS_Assert (s=0x7ffff53096d0 "((jsval) obj & JSVAL_TAGMASK) == JSVAL_OBJECT", file=
    0x7ffff5309658 "/home/jwalden/moz/js-tm/js/src/jsapi.h", ln=204) at /home/jwalden/moz/js-tm/js/src/jsutil.cpp:78
#2  0x00007ffff510f0c7 in OBJECT_TO_JSVAL (obj=0x7ffff5c5280b) at /home/jwalden/moz/js-tm/js/src/jsapi.h:204
#3  0x00007ffff512c8b2 in js_CastAsObjectJSVal (op=0x7ffff5c5280b <XPC_WN_Helper_SetProperty(JSContext*, JSObject*, jsval, jsval*)>)
    at /home/jwalden/moz/js-tm/js/src/jsscope.h:587
#4  0x00007ffff51d4347 in JSScopeProperty::setterValue (this=0x7fffffffaf90) at /home/jwalden/moz/js-tm/js/src/jsscope.h:742
#5  0x00007ffff5212483 in JSScopeProperty::JSScopeProperty (this=0x7fffffffaf90, id=140737309688708, getter=0x7fffe18cf900, setter=
    0x7ffff5c5280b <XPC_WN_Helper_SetProperty(JSContext*, JSObject*, jsval, jsval*)>, slot=4294967295, attrs=118, flags=0, shortid=0)
    at /home/jwalden/moz/js-tm/js/src/jsscope.h:679
#6  0x00007ffff5230248 in JSScope::addPropertyHelper (this=0x7fffe40bf6e0, cx=0x7fffe27a4800, id=140737309688708, getter=0x7fffe18cf900, setter=
    0x7ffff5c5280b <XPC_WN_Helper_SetProperty(JSContext*, JSObject*, jsval, jsval*)>, slot=4294967295, attrs=118, flags=0, shortid=0, spp=0x7fffdd90a318)
    at /home/jwalden/moz/js-tm/js/src/jsscope.cpp:825
#7  0x00007ffff523053f in JSScope::putProperty (this=0x7fffe40bf6e0, cx=0x7fffe27a4800, id=140737309688708, getter=0x7fffe18cf900, setter=
    0x7ffff5c5280b <XPC_WN_Helper_SetProperty(JSContext*, JSObject*, jsval, jsval*)>, slot=4294967295, attrs=118, flags=0, shortid=0)
    at /home/jwalden/moz/js-tm/js/src/jsscope.cpp:885
#8  0x00007ffff51cbe9b in js_DefineNativeProperty (cx=0x7fffe27a4800, obj=0x7fffe71e6e80, id=140737309688708, value=22, getter=0x7fffe18cf900, setter=
    0x7ffff5c5280b <XPC_WN_Helper_SetProperty(JSContext*, JSObject*, jsval, jsval*)>, attrs=118, flags=0, shortid=0, propp=0x0, defineHow=0)
    at /home/jwalden/moz/js-tm/js/src/jsobj.cpp:4282
#9  0x00007ffff51cb8f5 in js_DefineProperty (cx=0x7fffe27a4800, obj=0x7fffe71e6e80, id=140737309688708, value=22, getter=0x7fffe18cf900, setter=0, attrs=118)
    at /home/jwalden/moz/js-tm/js/src/jsobj.cpp:4146
#10 0x00007ffff512acf8 in JSObject::defineProperty (this=0x7fffe71e6e80, cx=0x7fffe27a4800, id=140737309688708, value=22, getter=0x7fffe18cf900, setter=0, attrs=
    118) at /home/jwalden/moz/js-tm/js/src/jsobj.h:543
#11 0x00007ffff51214ee in DefinePropertyById (cx=0x7fffe27a4800, obj=0x7fffe71e6e80, id=140737309688708, value=22, getter=0x7fffe18cf900, setter=0, attrs=118, 
    flags=0, tinyid=0) at /home/jwalden/moz/js-tm/js/src/jsapi.cpp:2850
#12 0x00007ffff5121c21 in JS_DefinePropertyById (cx=0x7fffe27a4800, obj=0x7fffe71e6e80, id=140737309688708, value=22, getter=0x7fffe18cf900, setter=0, attrs=118)
    at /home/jwalden/moz/js-tm/js/src/jsapi.cpp:2967
#13 0x00007ffff5c6a8d5 in XPCWrapper::AddProperty (cx=0x7fffe27a4800, wrapperObj=0x7fffe18cf880, wantGetterSetter=1, innerObj=0x7fffe71e6e80, id=140737309688708, 
    vp=0x7fffffffb630) at /home/jwalden/moz/js-tm/js/src/xpconnect/src/XPCWrapper.cpp:433
#14 0x00007ffff5c635a8 in XPC_XOW_AddProperty (cx=0x7fffe27a4800, obj=0x7fffe18cf880, id=140737309688708, vp=0x7fffffffb630)
    at /home/jwalden/moz/js-tm/js/src/xpconnect/src/XPCCrossOriginWrapper.cpp:625
#15 0x00007ffff51cb98b in AddPropertyHelper (cx=0x7fffe27a4800, clasp=0x7ffff7f7ed20, obj=0x7fffe18cf880, scope=0x7fffdd915080, sprop=0x7fffdd90c9b0, vp=
    0x7fffffffb630) at /home/jwalden/moz/js-tm/js/src/jsobj.cpp:4162
#16 0x00007ffff51cbf0d in js_DefineNativeProperty (cx=0x7fffe27a4800, obj=0x7fffe18cf880, id=140737309688708, value=22, getter=0x7fffe18cf900, setter=
    0x7ffff5120688 <JS_PropertyStub(JSContext*, JSObject*, jsval, jsval*)>, attrs=118, flags=0, shortid=0, propp=0x0, defineHow=0)
    at /home/jwalden/moz/js-tm/js/src/jsobj.cpp:4292
#17 0x00007ffff51cb8f5 in js_DefineProperty (cx=0x7fffe27a4800, obj=0x7fffe18cf880, id=140737309688708, value=22, getter=0x7fffe18cf900, setter=
    0x7ffff5120688 <JS_PropertyStub(JSContext*, JSObject*, jsval, jsval*)>, attrs=118) at /home/jwalden/moz/js-tm/js/src/jsobj.cpp:4146
#18 0x00007ffff51c61b0 in DefinePropertyObject (cx=0x7fffe27a4800, obj=0x7fffe18cf880, desc=..., throwError=true, rval=0x7fffffffb917)
    at /home/jwalden/moz/js-tm/js/src/jsobj.cpp:2226
#19 0x00007ffff51c7063 in DefineProperty (cx=0x7fffe27a4800, obj=0x7fffe18cf880, desc=..., throwError=true, rval=0x7fffffffb917)
    at /home/jwalden/moz/js-tm/js/src/jsobj.cpp:2509

Updated

8 years ago
Whiteboard: [sg:critical?] → [sg:critical?][critsmash:investigating]
Blake, can you have a look here, we need to know whether this is a bug in the wrapper code, or whether this is a bug in define property in which case we can reassign to waldo or someone else in the JS engine team...
Assignee: general → mrbkap
Could be related to bug 561936.
(Assignee)

Comment 4

8 years ago
This is a dupe of bug 561936. This is fallout from Waldo's defineProperty work, so I'll dupe that way to let him sort things out.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 561936
Whiteboard: [sg:critical?][critsmash:investigating] → [sg:dupe 561936][critsmash:investigating]

Updated

8 years ago
Whiteboard: [sg:dupe 561936][critsmash:investigating] → [sg:dupe 561936][critsmash:resolved]
Group: core-security
Filter on qa-project-auto-change:

A testcase for this bug was already added in the original bug (bug 560796).
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.