Closed Bug 613163 Opened 14 years ago Closed 13 years ago

"Assertion failure: outer && outer == obj,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- .x+
status2.0 --- wanted

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase) 

(function () {
  eval("\
    (function(){\
      function::__proto__ = evalcx('split')\
    })\
  ")()
  delete uneval
  uneval = eval
})()

asserts js debug shell on TM changeset d446894bc3a6 at Assertion failure: outer && outer == obj,
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   56718:9ec91c8f9b8e
user:        Blake Kaplan
date:        Fri Oct 29 10:42:35 2010 -0700
summary:     Bug 596031 - 'this' is wrong in getters and setters when a proxy object is on the prototype chain. r=brendan/jorendorff/gal
Blocks: 596031
blocking2.0: ? → betaN+
blocking2.0: betaN+ → -
status2.0: --- → wanted
(gdb) bt
#0  0xf7fdf430 in __kernel_vsyscall ()
#1  0xf7fb7610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#2  0x081cbae1 in JS_Assert (s=0x83516f2 "outer && outer == obj", file=0x83515f8 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp", ln=238)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsutil.cpp:83
#3  0x080a868f in JSCompartment::wrap (this=0x8454fd0, cx=0x8451e78, vp=0xffffc3e0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp:238
#4  0x080a8a3c in JSCompartment::wrap (this=0x8454fd0, cx=0x8451e78, objp=0xffffc580) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp:315
#5  0x080a8c05 in JSCompartment::wrap (this=0x8454fd0, cx=0x8451e78, desc=0xffffc580) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp:348
#6  0x081ce233 in JSCrossCompartmentWrapper::getPropertyDescriptor (this=0x83fd51c, cx=0x8451e78, wrapper=0xf760b1b0, id=..., set=true, desc=0xffffc580)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jswrapper.cpp:412
#7  0x08170370 in js::JSProxy::getPropertyDescriptor (cx=0x8451e78, proxy=0xf760b1b0, id=..., set=true, desc=0xffffc580)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsproxy.cpp:675
#8  0x0812d3fe in js_SetPropertyHelper (cx=0x8451e78, obj=0xf7602028, id=..., defineHow=9, vp=0xffffc910, strict=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsobj.cpp:5469
#9  0x0831464b in js::Interpret (cx=0x8451e78, entryFrame=0xf7790030, inlineCallCount=1, interpMode=JSINTERP_NORMAL)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:4477
#10 0x0810731c in js::RunScript (cx=0x8451e78, script=0x8490120, fp=0xf7790030) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:657
#11 0x08108597 in js::Execute (cx=0x8451e78, chain=0xf7602028, script=0x8490120, prev=0x0, flags=0, result=0xffffd210)
    at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:1023
#12 0x08074871 in JS_ExecuteScript (cx=0x8451e78, obj=0xf7602028, script=0x8490120, rval=0xffffd210) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsapi.cpp:4883
#13 0x0804c78b in Process (cx=0x8451e78, obj=0xf7602028, filename=0x0, forceTTY=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:548
#14 0x0804d3e5 in ProcessArgs (cx=0x8451e78, obj=0xf7602028, argv=0xffffd418, argc=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:943
#15 0x08056c86 in Shell (cx=0x8451e78, argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5428
#16 0x08056e61 in main (argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5536
Here is a simpler test case, same assert:
--
var o = evalcx('split');
o.__proto__ = o;
o.__proto__;
--
Assertion failure: outer && outer == obj, at ../jscompartment.cpp:247
Renom blocking2.0? in the hope of getting at least softblocker or 2.0.x flag (assuming it's not severe), status2.0 seems uncommonly used for js asserts.
blocking2.0: - → ?
I don't see why this bug should keep us from shipping Firefox 4; getting it in the browser would require privileged code to call evalInSandbox and cross compartments, AFAICT.
blocking2.0: ? → -
We can fix it a bit later but .x would be neat.
blocking2.0: - → .x
See bug 637011 which has a similar assert.
See Also: → 637011
No longer asserts, assuming fixed by bug 676708, which removed split global stuff from the shell.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.