Closed
Bug 576714
Opened 15 years ago
Closed 15 years ago
"Assertion failure: non-global object at end of scope chain" with 'default xml namespace'
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: gal)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: fixed-in-tracemonkey)
Attachments
(1 file)
|
1.85 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
try {
x = Proxy.create(({}), this)
} catch(e) {}
default xml namespace = x
asserts js debug shell without -j on TM tip at Assertion failure: non-global object at end of scope chain, at ../jsobj.cpp:6334
|
Assignee | |
Comment 1•15 years ago
|
||
#0 0x000000010015b5ce in JS_Assert (s=0x1001fac98 "non-global object at end of scope chain", file=0x1001fac88 "../jsobj.cpp", ln=6334) at ../jsutil.cpp:77
#1 0x00000001000c1603 in JSObject::getCompartment (this=0x101402240, cx=0x1005123f0) at ../jsobj.cpp:6334
#2 0x0000000100026069 in js::CompartmentChecker::check (this=0x7fff5fbfe720, obj=0x101402240) at jscntxtinlines.h:239
#3 0x00000001000260e7 in js::CompartmentChecker::check (this=0x7fff5fbfe720, v=4315947584) at jscntxtinlines.h:244
#4 0x0000000100026123 in js::CompartmentChecker::check (this=0x7fff5fbfe720, arr=@0x7fff5fbfe700) at jscntxtinlines.h:249
#5 0x0000000100027755 in js::assertSameCompartment<JSObject*, ValueArray> (cx=0x1005123f0, t1=0x1014022c0, t2={array = 0x101000218, length = 2}) at jscntxtinlines.h:293
#6 0x00000001000b5018 in js::callJSNative (cx=0x1005123f0, native=0x100179a34 <Namespace(JSContext*, JSObject*, unsigned int, long*, long*)>, thisobj=0x1014022c0, argc=2, argv=0x101000218, rval=0x101000268) at jscntxtinlines.h:338
#7 0x00000001000b15d4 in Invoke<int (*)(JSContext*, JSObject*, unsigned int, long*, long*)> (cx=0x1005123f0, fun=0x101407620, script=0x0, native=0x100179a34 <Namespace(JSContext*, JSObject*, unsigned int, long*, long*)>, args=@0x7fff5fbfe9c0, flags=1) at jsinterp.cpp:591
#8 0x00000001000b3f7c in js_Invoke (cx=0x1005123f0, args=@0x7fff5fbfe9c0, flags=1) at jsinterp.cpp:693
#9 0x00000001000b459b in js_InternalInvoke (cx=0x1005123f0, thisv=4315947712, fval=4315969056, flags=1, argc=2, argv=0x7fff5fbfeb40, rval=0x7fff5fbfeab0) at jsinterp.cpp:739
#10 0x00000001000ccc91 in js_ConstructObject (cx=0x1005123f0, clasp=0x100280a00, proto=0x101402280, parent=0x101402000, argc=2, argv=0x7fff5fbfeb40) at ../jsobj.cpp:3941
#11 0x0000000100166cd7 in js_SetDefaultXMLNamespace (cx=0x1005123f0, v=4315947584) at ../jsxml.cpp:7184
#12 0x00000001000aba94 in js_Interpret (cx=0x1005123f0) at jsops.cpp:3603
#13 0x00000001000b3603 in js_Execute (cx=0x1005123f0, chain=0x101402000, script=0x100515250, down=0x0, flags=0, result=0x0) at jsinterp.cpp:891
#14 0x000000010001572a in JS_ExecuteScript (cx=0x1005123f0, obj=0x101402000, script=0x100515250, rval=0x0) at ../jsapi.cpp:4751
#15 0x00000001000089bd in Process (cx=0x1005123f0, obj=0x101402000, filename=0x7fff5fbffa95 "x.js", forceTTY=0) at ../../shell/js.cpp:429
#16 0x00000001000095f7 in ProcessArgs (cx=0x1005123f0, obj=0x101402000, argv=0x7fff5fbff948, argc=1) at ../../shell/js.cpp:843
#17 0x00000001000096df in shell (cx=0x1005123f0, argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5032
#18 0x00000001000097db in main (argc=1, argv=0x7fff5fbff948, envp=0x7fff5fbff958) at ../../shell/js.cpp:5119
The bug is really in js_SetDefaultXMLNamespace.
|
|
Reporter | |
Updated•15 years ago
|
blocking2.0: --- → ?
|
||
Updated•15 years ago
|
Summary: "Assertion failure: non-global object at end of scope chain" → "Assertion failure: non-global object at end of scope chain" with 'default xml namespace'
|
|
Assignee | |
Comment 2•15 years ago
|
||
This is actually a bug in the proxy code after all.
|
|
Assignee | |
Comment 3•15 years ago
|
||
This should be a pretty recent regression, last week or so.
Assignee: general → gal
|
|
Assignee | |
Updated•15 years ago
|
Attachment #455830 -
Flags: review?(jorendorff)
|
|
Reporter | |
Comment 5•15 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 43356:d770ef6237ea
user: Jason Orendorff
date: Wed Jun 16 16:13:28 2010 -0500
summary: Bug 570169 - Part 2, add assertions that gcthings do not leak across compartments. r=gal.
Blocks: 570169
|
|
||
Updated•15 years ago
|
Attachment #455830 -
Flags: review?(jorendorff) → review+
|
|
Reporter | |
Comment 6•15 years ago
|
||
This was fixed on TM a while back:
http://hg.mozilla.org/tracemonkey/rev/18609d716396
Whiteboard: fixed-in-tracemonkey
|
|
Reporter | |
Updated•15 years ago
|
Flags: in-testsuite?
|
||
Comment 7•15 years ago
|
||
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Updated•15 years ago
|
blocking2.0: ? → betaN+
|
|
||
Comment 9•15 years ago
|
||
Comment on attachment 455830 [details] [diff] [review]
patch
>@@ -1074,25 +1076,26 @@ proxy_create(JSContext *cx, uintN argc,
> if (argc < 1) {
> JS_ReportErrorNumber(cx, js_GetErrorMessage, NULL, JSMSG_MORE_ARGS_NEEDED,
> "create", "0", "s");
> return false;
> }
> JSObject *handler;
> if (!(handler = NonNullObject(cx, vp[2])))
> return false;
>- JSObject *proto, *parent;
>+ JSObject *proto, *parent = NULL;
> if (argc > 1 && !JSVAL_IS_PRIMITIVE(vp[3])) {
> proto = JSVAL_TO_OBJECT(vp[3]);
> parent = proto->getParent();
> } else {
> JS_ASSERT(VALUE_IS_FUNCTION(cx, vp[0]));
> proto = NULL;
>+ }
>+ if (!parent)
> parent = JSVAL_TO_OBJECT(vp[0])->getParent();
Why initialize parent's declaration if it is set in both the "then" and "else" paths?
/be
You need to log in
before you can comment on or make changes to this bug.
Description
•