Closed Bug 613163 Opened 15 years ago Closed 14 years ago

"Assertion failure: outer && outer == obj,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- .x+
status2.0 --- wanted

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase)

(function () { eval("\ (function(){\ function::__proto__ = evalcx('split')\ })\ ")() delete uneval uneval = eval })() asserts js debug shell on TM changeset d446894bc3a6 at Assertion failure: outer && outer == obj,
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 56718:9ec91c8f9b8e user: Blake Kaplan date: Fri Oct 29 10:42:35 2010 -0700 summary: Bug 596031 - 'this' is wrong in getters and setters when a proxy object is on the prototype chain. r=brendan/jorendorff/gal
Blocks: 596031
blocking2.0: ? → betaN+
blocking2.0: betaN+ → -
status2.0: --- → wanted
(gdb) bt #0 0xf7fdf430 in __kernel_vsyscall () #1 0xf7fb7610 in raise (sig=6) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #2 0x081cbae1 in JS_Assert (s=0x83516f2 "outer && outer == obj", file=0x83515f8 "/home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp", ln=238) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsutil.cpp:83 #3 0x080a868f in JSCompartment::wrap (this=0x8454fd0, cx=0x8451e78, vp=0xffffc3e0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp:238 #4 0x080a8a3c in JSCompartment::wrap (this=0x8454fd0, cx=0x8451e78, objp=0xffffc580) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp:315 #5 0x080a8c05 in JSCompartment::wrap (this=0x8454fd0, cx=0x8451e78, desc=0xffffc580) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jscompartment.cpp:348 #6 0x081ce233 in JSCrossCompartmentWrapper::getPropertyDescriptor (this=0x83fd51c, cx=0x8451e78, wrapper=0xf760b1b0, id=..., set=true, desc=0xffffc580) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jswrapper.cpp:412 #7 0x08170370 in js::JSProxy::getPropertyDescriptor (cx=0x8451e78, proxy=0xf760b1b0, id=..., set=true, desc=0xffffc580) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsproxy.cpp:675 #8 0x0812d3fe in js_SetPropertyHelper (cx=0x8451e78, obj=0xf7602028, id=..., defineHow=9, vp=0xffffc910, strict=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsobj.cpp:5469 #9 0x0831464b in js::Interpret (cx=0x8451e78, entryFrame=0xf7790030, inlineCallCount=1, interpMode=JSINTERP_NORMAL) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:4477 #10 0x0810731c in js::RunScript (cx=0x8451e78, script=0x8490120, fp=0xf7790030) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:657 #11 0x08108597 in js::Execute (cx=0x8451e78, chain=0xf7602028, script=0x8490120, prev=0x0, flags=0, result=0xffffd210) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsinterp.cpp:1023 #12 0x08074871 in JS_ExecuteScript (cx=0x8451e78, obj=0xf7602028, script=0x8490120, rval=0xffffd210) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/jsapi.cpp:4883 #13 0x0804c78b in Process (cx=0x8451e78, obj=0xf7602028, filename=0x0, forceTTY=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:548 #14 0x0804d3e5 in ProcessArgs (cx=0x8451e78, obj=0xf7602028, argv=0xffffd418, argc=0) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:943 #15 0x08056c86 in Shell (cx=0x8451e78, argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5428 #16 0x08056e61 in main (argc=0, argv=0xffffd418, envp=0xffffd41c) at /home/fuzz1/Desktop/jsfunfuzz-dbg-32-tm-60455-284811f39ca6/compilePath/shell/js.cpp:5536
Here is a simpler test case, same assert: -- var o = evalcx('split'); o.__proto__ = o; o.__proto__; -- Assertion failure: outer && outer == obj, at ../jscompartment.cpp:247
Renom blocking2.0? in the hope of getting at least softblocker or 2.0.x flag (assuming it's not severe), status2.0 seems uncommonly used for js asserts.
blocking2.0: - → ?
I don't see why this bug should keep us from shipping Firefox 4; getting it in the browser would require privileged code to call evalInSandbox and cross compartments, AFAICT.
blocking2.0: ? → -
We can fix it a bit later but .x would be neat.
blocking2.0: - → .x
See bug 637011 which has a similar assert.
See Also: → 637011
No longer asserts, assuming fixed by bug 676708, which removed split global stuff from the shell.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.