Closed Bug 576774 Opened 14 years ago Closed 14 years ago

"Assertion failure: !obj->isWrapper() || obj->getClass()->ext.innerObject,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- beta8+

People

(Reporter: gkw, Assigned: mrbkap)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [ETA needed]) 

(function() {
  print(wrap(evalcx('')))
})()

asserts js debug shell on TM tip without -j at Assertion failure: !obj->isWrapper(), at ../jswrapper.cpp:284

Program received signal EXC_BAD_ACCESS, Could not access memory.
Reason: KERN_PROTECTION_FAILURE at address: 0x00000000
0x0014fb31 in JS_Assert (s=0x1f5627 "!obj->isWrapper()", file=0x1f55a8 "../jswrapper.cpp", ln=284) at ../jsutil.cpp:77
77          *((int *) NULL) = 0;  /* To continue from here in GDB: "return" then "continue". */
(gdb) bt
#0  0x0014fb31 in JS_Assert (s=0x1f5627 "!obj->isWrapper()", file=0x1f55a8 "../jswrapper.cpp", ln=284) at ../jsutil.cpp:77
#1  0x00151819 in js::TransparentObjectWrapper (cx=0x865200, obj=0x1002760, wrappedProto=0x1002240, flags=0) at ../jswrapper.cpp:284
#2  0x00150f8c in JSCompartment::wrap (this=0x40d0b0, cx=0x865200, vp=0x500164) at ../jswrapper.cpp:370
#3  0x00151f46 in JSCrossCompartmentWrapper::call (this=0x210114, cx=0x865200, wrapper=0x10027c0, argc=0, vp=0x500160) at ../jswrapper.cpp:726
#4  0x00103923 in js::JSProxy::call (cx=0x865200, proxy=0x10027c0, argc=0, vp=0x500160) at ../jsproxy.cpp:801
#5  0x001039a5 in js::proxy_Call (cx=0x865200, argc=0, vp=0x500160) at ../jsproxy.cpp:984
#6  0x000afb6e in js::callJSFastNative (cx=0x865200, native=0x103939 <js::proxy_Call(JSContext*, unsigned int, long*)>, argc=0, vp=0x500160) at jscntxtinlines.h:349
#7  0x000ab7e8 in callJSNative (cx=0x865200, callOp=0x103939 <js::proxy_Call(JSContext*, unsigned int, long*)>, thisp=0x1002780, argc=0, argv=0x500168, rval=0x500188) at jsinterp.cpp:464
#8  0x000abd32 in Invoke<int (*)(JSContext*, unsigned int, long*)> (cx=0x865200, fun=0x0, script=0x0, native=0x103939 <js::proxy_Call(JSContext*, unsigned int, long*)>, args=@0xbfffedf0, flags=0) at jsinterp.cpp:591
#9  0x000aed63 in js_Invoke (cx=0x865200, args=@0xbfffedf0, flags=0) at jsinterp.cpp:722
#10 0x000af1ba in js_InternalInvoke (cx=0x865200, thisv=16787328, fval=16787392, flags=0, argc=0, argv=0x0, rval=0xbfffeea8) at jsinterp.cpp:739
#11 0x000c6b2c in js_TryMethod (cx=0x865200, obj=0x1002780, atom=0x1000534, argc=0, argv=0x0, rval=0xbfffeea8) at ../jsobj.cpp:5963
#12 0x000c6e32 in js_DefaultValue (cx=0x865200, obj=0x1002780, hint=JSTYPE_STRING, vp=0xbfffef44) at ../jsobj.cpp:5403
#13 0x00139cf9 in JSObject::defaultValue (this=0x1002780, cx=0x865200, hint=JSTYPE_STRING, vp=0xbfffef44) at jsobj.h:680
#14 0x00132474 in js_ValueToString (cx=0x865200, v=16787328) at ../jsstr.cpp:3238
#15 0x0001395e in JS_ValueToString (cx=0x865200, v=16787328) at ../jsapi.cpp:424
#16 0x00008789 in Print (cx=0x865200, argc=1, vp=0x500130) at ../../shell/js.cpp:1036
#17 0x0009c427 in js_Interpret (cx=0x865200) at jsops.cpp:2145
#18 0x000ae293 in js_Execute (cx=0x865200, chain=0x1002000, script=0x40d110, down=0x0, flags=0, result=0xbffff738) at jsinterp.cpp:891
#19 0x00015e69 in JS_ExecuteScript (cx=0x865200, obj=0x1002000, script=0x40d110, rval=0xbffff738) at ../jsapi.cpp:4751
#20 0x00009895 in Process (cx=0x865200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:522
#21 0x0000a259 in ProcessArgs (cx=0x865200, obj=0x1002000, argv=0xbffff908, argc=0) at ../../shell/js.cpp:843
#22 0x0000a372 in shell (cx=0x865200, argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5025
#23 0x0000a496 in main (argc=0, argv=0xbffff908, envp=0xbffff90c) at ../../shell/js.cpp:5112
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   46583:efd06f813388
user:        Andreas Gal
date:        Fri Jul 02 13:54:53 2010 -0700
summary:     Implement remaining cross compartment wrappers (574924, r=mrbkap).
Blocks: 574924
blocking2.0: ? → beta5+
Assignee: general → mrbkap
Moving to beta6+ and worrying about mrbkap's workload ...
blocking2.0: beta5+ → beta6+
Now asserts at Assertion failure: !obj->isWrapper() || obj->getClass()->ext.innerObject, instead
Summary: "Assertion failure: !obj->isWrapper()," → "AAssertion failure: !obj->isWrapper() || obj->getClass()->ext.innerObject,"
Summary: "AAssertion failure: !obj->isWrapper() || obj->getClass()->ext.innerObject," → "Assertion failure: !obj->isWrapper() || obj->getClass()->ext.innerObject,"
blocking2.0: beta7+ → beta8+
Whiteboard: [ETA needed]
In a recent shell:

  js> (function() {
    print(wrap(evalcx('')))
  })()
  [object sandbox]

->WORKSFORME
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   55309:070c52d8c6b6
user:        Andreas Gal
date:        Sun Oct 10 15:47:22 2010 -0700
summary:     bug 580128 - Cross origin wrapper needs no waive xray flag. r=mrbkap
Resolution: WORKSFORME → FIXED
You need to log in before you can comment on or make changes to this bug.