Closed Bug 574262 Opened 14 years ago Closed 14 years ago

Crash [@ JSCompartment::wrap] or "Assertion failure: non-global object at end of scope chain,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 574539

People

(Reporter: gkw, Assigned: gal)

References

Details

(Keywords: assertion, regression, testcase)

Attachments

(1 file, 1 obsolete file)

patch
4.13 KB, patch
Details | Diff | Splinter Review 
for each(y in (evalcx(''))) {}

asserts js debug shell without -j on TM tip at Assertion failure: non-global object at end of scope chain, at ../jsobj.cpp:6290

(gdb) bt
#0  0x001508d9 in JS_Assert (s=0x1ed1d0 "non-global object at end of scope chain", file=0x1ed1c0 "../jsobj.cpp", ln=6290) at ../jsutil.cpp:77
#1  0x000bd7a4 in JSObject::getCompartment (this=0x1002620, cx=0x809200) at ../jsobj.cpp:6290
#2  0x00151a32 in JSCompartment::wrap (this=0x40b330, cx=0x809200, vp=0x5000e0) at ../jswrapper.cpp:265
#3  0x00152808 in JSCrossCompartmentWrapper::iterate (this=0x20eeac, cx=0x809200, proxy=0x1002600, flags=3, vp=0x5000e0) at ../jswrapper.cpp:583
#4  0x00104cc5 in js::JSProxy::iterate (cx=0x809200, proxy=0x1002600, flags=3, vp=0x5000e0) at ../jsproxy.cpp:788
#5  0x000b490b in GetIterator (cx=0x809200, obj=0x1002600, flags=3, vp=0x5000e0) at ../jsiter.cpp:495
#6  0x000b4d07 in js_ValueToIterator (cx=0x809200, flags=3, vp=0x5000e0) at ../jsiter.cpp:642
#7  0x0008d808 in js_Interpret (cx=0x809200) at jsops.cpp:460
#8  0x000afad3 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40c5b0, down=0x0, flags=0, result=0xbffff588) at jsinterp.cpp:870
#9  0x00016466 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40c5b0, rval=0xbffff588) at ../jsapi.cpp:4737
#10 0x0000a04e in Process (cx=0x809200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:522
#11 0x0000aa11 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff750, argc=0) at ../../shell/js.cpp:843
#12 0x0000ab2a in shell (cx=0x809200, argc=0, argv=0xbffff750, envp=0xbffff754) at ../../shell/js.cpp:5057
#13 0x0000ac4e in main (argc=0, argv=0xbffff750, envp=0xbffff754) at ../../shell/js.cpp:5144
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   44269:3aaaa21012c8
user:        Jason Orendorff
date:        Wed Jun 23 16:35:10 2010 -0500
summary:     Bug 563099 - Compartments and wrappers API. r=gal.
Blocks: compartments-api
This also causes a near-null dereference in opt shells:

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x0000001e
0x00101784 in JSCompartment::wrap ()
(gdb) 
(gdb) bt
#0  0x00101784 in JSCompartment::wrap ()
#1  0x00103367 in JSCrossCompartmentWrapper::get ()
#2  0x000b4937 in js::proxy_GetProperty ()
#3  0x0007868b in js_GetMethod ()
#4  0x0000e7c3 in JS_GetMethodById ()
#5  0x00068744 in js_IteratorMore ()
#6  0x00059c00 in js_Interpret ()
#7  0x00066ec6 in js_Execute ()
#8  0x000134f8 in JS_ExecuteScript ()
#9  0x0000522c in Process ()
#10 0x000087a7 in shell ()
#11 0x00008cc7 in main ()
(gdb) x/i $eip
0x101784 <_ZN13JSCompartment4wrapEP9JSContextPl+404>:   mov    0x8(%edx),%edx
(gdb) x/i $edx
0x16:   Cannot access memory at address 0x16
Summary: "Assertion failure: non-global object at end of scope chain," → Crash [@ JSCompartment::wrap] or "Assertion failure: non-global object at end of scope chain,"
Shell only. evalcx blows. We should disallow anything there thats not a proper scope object.
Attached patch patch (obsolete) — Splinter Review 
Mea culpa. Iterator->getCompartment() crashes because parent is NULL. Brendan is probably right. The optimization is silly.
Assignee: general → gal
Attached patch patchSplinter Review 
Brendan, I can fix this differently if you think its important to have this after all.
Attachment #453676 - Attachment is obsolete: true
ok to leave the "flags" argument to NewIteratorObject, unused?
Good point. Brendan already had it removed once. Lets wait what he says. If we remove the code I will have to re-do the cleanup I made him take out...
Two things:

1. Measure the win of the JSITER_ENUMERATE fast path in NewIteratorObject.

2. Make evalcx do what eval does, per comment 3, and not allow non-scope objects.

/be
Where is the "non-scope object" in this testcase?
This is fixed by bug 574262 which introduces a fast path that avoids asking non-escaping iterator objects for their parent to get their compartment.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: