Closed Bug 614131 Opened 14 years ago Closed 14 years ago

Compartment mismatches with JSD: CallJSNative(exn_toString)

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: sfink, Assigned: adrake)

References

Details

(Keywords: regression, Whiteboard: [compartments][firebug-p1][hardblocker] fixed-in-tracemonkey)

Attachments

(5 files, 3 obsolete files)

Test file 1
135 bytes, text/html
Details
Test file 2
206 bytes, text/html
Details
WIP fix for crash described in comments
752 bytes, patch
gal
: review-
Details | Diff | Splinter Review
Latest crash
3.39 KB, text/plain
Details
better fix
6.67 KB, patch
gal
: review+
Details | Diff | Splinter Review
Attached file Test file 1 
I'm seeing multiple assertSameCompartment failures in conjunction with JSD.

STR: Install firebug 1.7. Open up sample.html, activate firebug. Play around with breakpoints. (I have one set on the 'for' loop.) Switch to sample2.html. Play around some more. (Set a breakpoint and reload. If you've set one in a past session, you should crash when opening sample2.html.)

I am very quickly seeing compartment-related assertion failures.

I have one from CallJSNative(exn_toString). I saw another from JS_DecompileFunctionBody() called from jsdScript::CreatePPLineMap(), which I'll file when I can reproduce.

Here's a stack for CallJSNative:

(gdb) bt
#0  0x0000003de620f30b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42
#1  0x00007ffff48c7c14 in JS_Assert (s=0x7ffff4a2d2ec "compartment mismatched", file=0x7ffff4a2d160 "/home/sfink/src/.TM-3/js/src/jscntxtinlines.h", ln=541) at /home/sfink/src/.TM-3/js/src/jsutil.cpp:83
#2  0x00007ffff4747695 in js::CompartmentChecker::fail (c1=0x7fffdb560400, c2=0x7fffd9f4ec00) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:541
#3  0x00007ffff4747703 in js::CompartmentChecker::check (this=0x7fffffffc390, c=0x7fffd9f4ec00) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:549
#4  0x00007ffff4747749 in js::CompartmentChecker::check (this=0x7fffffffc390, obj=0x7fffce8a1f00) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:557
#5  0x00007ffff474778a in js::CompartmentChecker::check (this=0x7fffffffc390, v=...) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:562
#6  0x00007ffff4800ef6 in js::CompartmentChecker::check (this=0x7fffffffc390, arr=...) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:571
#7  0x00007ffff4801e73 in js::assertSameCompartment<ValueArray> (cx=0x7fffe4e0f400, t1=...) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:624
#8  0x00007ffff4800f64 in js::CallJSNative (cx=0x7fffe4e0f400, native=0x7ffff47a9e08 <exn_toString(JSContext*, uintN, js::Value*)>, argc=0, vp=0x7fffe84fd038) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:683
#9  0x00007ffff4804709 in js::Invoke (cx=0x7fffe4e0f400, argsRef=..., flags=0) at /home/sfink/src/.TM-3/js/src/jsinterp.cpp:704
#10 0x00007ffff4804fbc in js::ExternalInvoke (cx=0x7fffe4e0f400, thisv=..., fval=..., argc=0, argv=0x0, rval=0x7fffffffc6a0) at /home/sfink/src/.TM-3/js/src/jsinterp.cpp:862
#11 0x00007ffff481aff5 in js::ExternalInvoke (cx=0x7fffe4e0f400, obj=0x7fffddcae2d0, fval=..., argc=0, argv=0x0, rval=0x7fffffffc6a0) at /home/sfink/src/.TM-3/js/src/jsinterp.h:962
#12 0x00007ffff482cec4 in js_TryMethod (cx=0x7fffe4e0f400, obj=0x7fffddcae2d0, atom=0x7fffe7f016c0, argc=0, argv=0x0, rval=0x7fffffffc6a0) at /home/sfink/src/.TM-3/js/src/jsobj.cpp:5978
#13 0x00007ffff482c0a1 in js::DefaultValue (cx=0x7fffe4e0f400, obj=0x7fffddcae2d0, hint=JSTYPE_STRING, vp=0x7fffffffc6f0) at /home/sfink/src/.TM-3/js/src/jsobj.cpp:5626
#14 0x00007ffff48a85f5 in js_ValueToString (cx=0x7fffe4e0f400, arg=...) at /home/sfink/src/.TM-3/js/src/jsstr.cpp:3735
#15 0x00007ffff47ab12b in js_ReportUncaughtException (cx=0x7fffe4e0f400) at /home/sfink/src/.TM-3/js/src/jsexn.cpp:1243
#16 0x00007ffff473b7bf in LAST_FRAME_EXCEPTION_CHECK (cx=0x7fffe4e0f400, result=false) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4400
#17 0x00007ffff473b7f9 in LAST_FRAME_CHECKS (cx=0x7fffe4e0f400, result=false) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4407
#18 0x00007ffff473d647 in JS_EvaluateUCScriptForPrincipals (cx=0x7fffe4e0f400, obj=0x7fffddcae828, principals=0x7fffd424ae08, chars=0x7fffd9856d18, length=158, filename=0x7fffce68a9e8 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=2, rval=0x0) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4885
#19 0x00007ffff473d471 in JS_EvaluateUCScriptForPrincipalsVersion (cx=0x7fffe4e0f400, obj=0x7fffddcae828, principals=0x7fffd424ae08, chars=0x7fffd9856d18, length=158, filename=0x7fffce68a9e8 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=2, rval=0x0, version=JSVERSION_DEFAULT) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4860
#20 0x00007ffff5dd94ca in nsJSContext::EvaluateString (this=0x7fffe4b87a20, aScript=..., aScopeObject=0x7fffddcae828, aPrincipal=0x7fffd424ae00, aURL=0x7fffce68a9e8 "file:///home/sfink/src/TM-singlestep/sample2.html", aLineNo=2, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fffffffcc1c) at /home/sfink/src/.TM-3/dom/base/nsJSEnvironment.cpp:1731
#21 0x00007ffff5b2e105 in nsScriptLoader::EvaluateScript (this=0x7fffd4159680, aRequest=0x7fffd9681b60, aScript=...) at /home/sfink/src/.TM-3/content/base/src/nsScriptLoader.cpp:870
#22 0x00007ffff5b2da2b in nsScriptLoader::ProcessRequest (this=0x7fffd4159680, aRequest=0x7fffd9681b60) at /home/sfink/src/.TM-3/content/base/src/nsScriptLoader.cpp:769
#23 0x00007ffff5b2d6ee in nsScriptLoader::ProcessScriptElement (this=0x7fffd4159680, aElement=0x7fffce631e60) at /home/sfink/src/.TM-3/content/base/src/nsScriptLoader.cpp:715
#24 0x00007ffff5b29c53 in nsScriptElement::MaybeProcessScript (this=0x7fffce631e60) at /home/sfink/src/.TM-3/content/base/src/nsScriptElement.cpp:167
#25 0x00007ffff5c7931c in nsHTMLScriptElement::MaybeProcessScript (this=0x7fffce631df0) at /home/sfink/src/.TM-3/content/html/content/src/nsHTMLScriptElement.cpp:581
#26 0x00007ffff5c78fe2 in nsHTMLScriptElement::DoneAddingChildren (this=0x7fffce631df0, aHaveNotified=1) at /home/sfink/src/.TM-3/content/html/content/src/nsHTMLScriptElement.cpp:510
#27 0x00007ffff5fca6d1 in nsHtml5TreeOpExecutor::RunScript (this=0x7fffd4123f30, aScriptElement=0x7fffce631df0) at /home/sfink/src/.TM-3/parser/html/nsHtml5TreeOpExecutor.cpp:730
#28 0x00007ffff5fc9d12 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x7fffd4123f30) at /home/sfink/src/.TM-3/parser/html/nsHtml5TreeOpExecutor.cpp:525
#29 0x00007ffff5fd0c68 in nsHtml5ExecutorFlusher::Run (this=0x7fffd3f3ada0) at /home/sfink/src/.TM-3/parser/html/nsHtml5StreamParser.cpp:153
#30 0x00007ffff6b9e275 in nsThread::ProcessNextEvent (this=0x7ffff2d395e0, mayWait=0, result=0x7fffffffd63c) at /home/sfink/src/.TM-3/xpcom/threads/nsThread.cpp:610
#31 0x00007ffff6b28374 in NS_ProcessNextEvent_P (thread=0x7ffff2d395e0, mayWait=0) at nsThreadUtils.cpp:250
#32 0x00007ffff698891a in mozilla::ipc::MessagePump::Run (this=0x7ffff2dfebc0, aDelegate=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/glue/MessagePump.cpp:110
#33 0x00007ffff6c07257 in MessageLoop::RunInternal (this=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/chromium/src/base/message_loop.cc:219
#34 0x00007ffff6c071dc in MessageLoop::RunHandler (this=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/chromium/src/base/message_loop.cc:202
#35 0x00007ffff6c0716d in MessageLoop::Run (this=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/chromium/src/base/message_loop.cc:176
#36 0x00007ffff68259db in nsBaseAppShell::Run (this=0x7fffea7fcf80) at /home/sfink/src/.TM-3/widget/src/xpwidgets/nsBaseAppShell.cpp:181
#37 0x00007ffff656dde5 in nsAppStartup::Run (this=0x7fffe80924c0) at /home/sfink/src/.TM-3/toolkit/components/startup/src/nsAppStartup.cpp:191
#38 0x00007ffff548315a in XRE_main (argc=4, argv=0x7fffffffe298, aAppData=0x7ffff2d250f0) at /home/sfink/src/.TM-3/toolkit/xre/nsAppRunner.cpp:3682
#39 0x0000000000401e7f in main (argc=4, argv=0x7fffffffe298) at /home/sfink/src/.TM-3/browser/app/nsBrowserApp.cpp:158
(gdb)
Attached file Test file 2 

    
  
blocking2.0: --- → ?
Depends on: 610941

    
    

    
  
steve: please try to limit the jsd component to bugs where there's actually source from js/jsd/ in the stack
Assignee: nobody → general
Component: JavaScript Debugging APIs → JavaScript Engine
QA Contact: jsd → general

    
    

    
  
mrbkap/et al, in debug builds, is it possible to actually provide enough information to make this stuff easy to debug? ideally something like tracerefcnt (or the older JSLock ABBA checker) where the compartment pointer and its stack are dumped at creation time (if an env var is set) so that when someone hits an assert like this the person who sees the assert can look back and point to the place where the apartment came from (in stack form)

    
    

    
  
Exact steps to reproduce:

1. Set up a profile with Firebug 1.7 installed.
2. Clean it out (this is just to make it reproducible with the exact same steps):
  rm -rf <profile>/sessionstore* <profile>/firebug
3. Start up firefox on sample.html:
  dist/bin/firefox -no-remote -P dev file:///home/sfink/src/TM-singlestep/sample.html
4. Turn on firebug (click the bug icon in the bottom right)
5. Reload (Ctrl-R)
6. From the location bar, switch to sample2.html
7. Set breakpoints on the 'for' line and the line with 'y=3' (lines 7 and 10)
8. Reload. You will now be stopped at the breakpoint on the 'for' line. (line 7)
9. Press F8 ('continue') to advance to the breakpoint on the 'y=3' line (line 10)
10. From the location bar, switch back to sample.html

    
    

    
  
Unfortunately, the fix in bug 610941 does not fix this.

I have a browser-chrome mochitest that does everything in the STR above, but unfortunately it does not cause the crash. So either browser chrome mochitests set things up slightly differently, or my test isn't mimicking how Firebug does all of the breakpoints etc.

In watching JS_EvaluateUCScriptForPrincipals(), what I see is that first sample.html runs a script in a context with compartment C1, using an 'obj' parameter corresponding to a Window object in compartment C1. After the script is done executing, cx->compartment and obj->getCompartment() are both still C1.

Then sample2.html executes a script. On entry, we have the same context, but now both cx->compartment and obj->getCompartment() are a different compartment, C2. After exiting, however, cx->compartment has been reverted back to C1. This is only noticed with the above STR because sample2.html contains an error, and while generating the error message the compartment mismatch is detected. (Note that 'obj' is different between the two Evaluate invocations.)

None of which means much of anything to me. Here's some more probably-useless detail:

This is the stack where C1 got created:

#0  JSCompartment::JSCompartment (this=0x7fffdd899800, rt=0x7fffea89e000) at /home/sfink/src/TM-singlestep/js/src/jscompartment.cpp:60
#1  0x00007ffff475c95b in js::gc::NewCompartment (cx=0x7fffddd4b800, principals=0x7fffd82398f8) at /home/sfink/src/TM-singlestep/js/src/jsgc.cpp:2609
#2  0x00007ffff46d4a55 in JS_NewCompartmentAndGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principals=0x7fffd82398f8) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:2969
#3  0x00007ffff62f8900 in CreateNewCompartment (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffd82398f0, priv=0x7fffda3fde80, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:964
#4  0x00007ffff62f8bfb in xpc_CreateGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffd82398f0, ptr=0x0, wantXrays=false, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1002
#5  0x00007ffff62f905a in nsXPConnect::InitClassesWithNewWrappedGlobal (this=0x7fffebd35f50, aJSContext=0x7fffddd4b800, aCOMObj=0x7fffdd899478, aIID=..., aPrincipal=0x7fffd82398f0, aExtraPtr=0x0, aFlags=0, _retval=0x7fffffffc340) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1089
#6  0x00007ffff5d970c0 in nsJSContext::CreateNativeGlobalForInner (this=0x7fffdde939e0, aNewInner=0x7fffdd899478, aIsChrome=0, aPrincipal=0x7fffd82398f0, aNativeGlobal=0x7fffdd899630, aHolder=0x7fffddd4b5d8) at /home/sfink/src/TM-singlestep/dom/base/nsJSEnvironment.cpp:2540
#7  0x00007ffff5db6649 in nsGlobalWindow::SetNewDocument (this=0x7fffddd4b400, aDocument=0x7fffd61bb800, aState=0x0, aForceReuseInnerWindow=0) at /home/sfink/src/TM-singlestep/dom/base/nsGlobalWindow.cpp:1982
#8  0x00007ffff572b5af in DocumentViewerImpl::InitInternal (this=0x7fffd6025080, aParentWidget=0x0, aState=0x0, aBounds=..., aDoCreation=1, aNeedMakeCX=1) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:956
#9  0x00007ffff572a25e in DocumentViewerImpl::Init (this=0x7fffd6025080, aParentWidget=0x0, aBounds=...) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:693
#10 0x00007ffff6443223 in nsDocShell::SetupNewViewer (this=0x7fffddd4ac00, aNewViewer=0x7fffd6025080) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7619
#11 0x00007ffff643b593 in nsDocShell::Embed (this=0x7fffddd4ac00, aContentViewer=0x7fffd6025080, aCommand=0x7ffff72366eb "", aExtraInfo=0x0) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:5716
#12 0x00007ffff6441fcc in nsDocShell::CreateContentViewer (this=0x7fffddd4ac00, aContentType=0x7fffd604dc18 "text/html", request=0x7fffddcd4b80, aContentHandler=0x7fffd6050df0) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7406
#13 0x00007ffff645dbae in nsDSURIContentListener::DoContent (this=0x7fffddd56330, aContentType=0x7fffd604dc18 "text/html", aIsContentPreferred=0, request=0x7fffddcd4b80, aContentHandler=0x7fffd6050df0, aAbortProcess=0x7fffffffcf1c) at /home/sfink/src/TM-singlestep/docshell/base/nsDSURIContentListener.cpp:148
#14 0x00007ffff6466360 in nsDocumentOpenInfo::TryContentListener (this=0x7fffd6050dd0, aListener=0x7fffddd56330, aChannel=0x7fffddcd4b80) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:757
#15 0x00007ffff6464f55 in nsDocumentOpenInfo::DispatchContent (this=0x7fffd6050dd0, request=0x7fffddcd4b80, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:455
#16 0x00007ffff64644f7 in nsDocumentOpenInfo::OnStartRequest (this=0x7fffd6050dd0, request=0x7fffddcd4b80, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:295
#17 0x00007ffff54730b3 in nsBaseChannel::OnStartRequest (this=0x7fffddcd4b30, request=0x7fffdd563d80, ctxt=0x0) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsBaseChannel.cpp:712
#18 0x00007ffff5487d20 in nsInputStreamPump::OnStateStart (this=0x7fffdd563d80) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:441
#19 0x00007ffff5487b50 in nsInputStreamPump::OnInputStreamReady (this=0x7fffdd563d80, stream=0x7fffe2b7f9c8) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:397
#20 0x00007ffff6b43679 in nsInputStreamReadyEvent::Run (this=0x7fffe4eca380) at /home/sfink/src/TM-singlestep/xpcom/io/nsStreamUtils.cpp:112
#21 0x00007ffff6b6ea44 in nsThread::ProcessNextEvent (this=0x7fffebd04d80, mayWait=0, result=0x7fffffffd5fc) at /home/sfink/src/TM-singlestep/xpcom/threads/nsThread.cpp:626
#22 0x00007ffff6af88e4 in NS_ProcessNextEvent_P (thread=0x7fffebd04d80, mayWait=0) at nsThreadUtils.cpp:250
#23 0x00007ffff693ec1a in mozilla::ipc::MessagePump::Run (this=0x7fffebd14080, aDelegate=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/glue/MessagePump.cpp:110
#24 0x00007ffff6bd88eb in MessageLoop::RunInternal (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:219
#25 0x00007ffff6bd8870 in MessageLoop::RunHandler (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:202
#26 0x00007ffff6bd8801 in MessageLoop::Run (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:176
#27 0x00007ffff67d8fc7 in nsBaseAppShell::Run (this=0x7fffe8796500) at /home/sfink/src/TM-singlestep/widget/src/xpwidgets/nsBaseAppShell.cpp:181
#28 0x00007ffff652148d in nsAppStartup::Run (this=0x7fffe87adb00) at /home/sfink/src/TM-singlestep/toolkit/components/startup/src/nsAppStartup.cpp:191
#29 0x00007ffff54336d2 in XRE_main (argc=5, argv=0x7fffffffe258, aAppData=0x7ffff2c27080) at /home/sfink/src/TM-singlestep/toolkit/xre/nsAppRunner.cpp:3691
#30 0x0000000000401d0c in main (argc=5, argv=0x7fffffffe258) at /home/sfink/src/TM-singlestep/browser/app/nsBrowserApp.cpp:158

And this is the stack where C2 was created (which only happened after sample.html was done executing):

#0  JSCompartment::JSCompartment (this=0x7fffdb172c00, rt=0x7fffea89e000) at /home/sfink/src/TM-singlestep/js/src/jscompartment.cpp:60
#1  0x00007ffff475c95b in js::gc::NewCompartment (cx=0x7fffddd4b800, principals=0x7fffe3885868) at /home/sfink/src/TM-singlestep/js/src/jsgc.cpp:2609
#2  0x00007ffff46d4a55 in JS_NewCompartmentAndGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principals=0x7fffe3885868) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:2969
#3  0x00007ffff62f8900 in CreateNewCompartment (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffe3885860, priv=0x7fffdb184740, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:964
#4  0x00007ffff62f8bfb in xpc_CreateGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffe3885860, ptr=0x0, wantXrays=false, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1002
#5  0x00007ffff62f905a in nsXPConnect::InitClassesWithNewWrappedGlobal (this=0x7fffebd35f50, aJSContext=0x7fffddd4b800, aCOMObj=0x7fffdb172878, aIID=..., aPrincipal=0x7fffe3885860, aExtraPtr=0x0, aFlags=0, _retval=0x7fffffffc340) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1089
#6  0x00007ffff5d970c0 in nsJSContext::CreateNativeGlobalForInner (this=0x7fffdde939e0, aNewInner=0x7fffdb172878, aIsChrome=0, aPrincipal=0x7fffe3885860, aNativeGlobal=0x7fffdb172a30, aHolder=0x7fffddd4b5d8) at /home/sfink/src/TM-singlestep/dom/base/nsJSEnvironment.cpp:2540
#7  0x00007ffff5db6649 in nsGlobalWindow::SetNewDocument (this=0x7fffddd4b400, aDocument=0x7fffdb160000, aState=0x0, aForceReuseInnerWindow=0) at /home/sfink/src/TM-singlestep/dom/base/nsGlobalWindow.cpp:1982
#8  0x00007ffff572b5af in DocumentViewerImpl::InitInternal (this=0x7fffdb179280, aParentWidget=0x0, aState=0x0, aBounds=..., aDoCreation=1, aNeedMakeCX=1) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:956
#9  0x00007ffff572a25e in DocumentViewerImpl::Init (this=0x7fffdb179280, aParentWidget=0x0, aBounds=...) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:693
#10 0x00007ffff6443223 in nsDocShell::SetupNewViewer (this=0x7fffddd4ac00, aNewViewer=0x7fffdb179280) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7619
#11 0x00007ffff643b593 in nsDocShell::Embed (this=0x7fffddd4ac00, aContentViewer=0x7fffdb179280, aCommand=0x7ffff72366eb "", aExtraInfo=0x0) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:5716
#12 0x00007ffff6441fcc in nsDocShell::CreateContentViewer (this=0x7fffddd4ac00, aContentType=0x7fffdb132f18 "text/html", request=0x7fffddcd6a60, aContentHandler=0x7fffddbb1f30) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7406
#13 0x00007ffff645dbae in nsDSURIContentListener::DoContent (this=0x7fffddd56330, aContentType=0x7fffdb132f18 "text/html", aIsContentPreferred=0, request=0x7fffddcd6a60, aContentHandler=0x7fffddbb1f30, aAbortProcess=0x7fffffffcf1c) at /home/sfink/src/TM-singlestep/docshell/base/nsDSURIContentListener.cpp:148
#14 0x00007ffff6466360 in nsDocumentOpenInfo::TryContentListener (this=0x7fffddbb1f10, aListener=0x7fffddd56330, aChannel=0x7fffddcd6a60) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:757
#15 0x00007ffff6464f55 in nsDocumentOpenInfo::DispatchContent (this=0x7fffddbb1f10, request=0x7fffddcd6a60, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:455
#16 0x00007ffff64644f7 in nsDocumentOpenInfo::OnStartRequest (this=0x7fffddbb1f10, request=0x7fffddcd6a60, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:295
#17 0x00007ffff54730b3 in nsBaseChannel::OnStartRequest (this=0x7fffddcd6a10, request=0x7fffddbd7300, ctxt=0x0) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsBaseChannel.cpp:712
#18 0x00007ffff5487d20 in nsInputStreamPump::OnStateStart (this=0x7fffddbd7300) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:441
#19 0x00007ffff5487b50 in nsInputStreamPump::OnInputStreamReady (this=0x7fffddbd7300, stream=0x7fffddbd29e8) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:397
#20 0x00007ffff6b43679 in nsInputStreamReadyEvent::Run (this=0x7fffdda2c480) at /home/sfink/src/TM-singlestep/xpcom/io/nsStreamUtils.cpp:112
#21 0x00007ffff6b6ea44 in nsThread::ProcessNextEvent (this=0x7fffebd04d80, mayWait=0, result=0x7fffffffd5fc) at /home/sfink/src/TM-singlestep/xpcom/threads/nsThread.cpp:626
#22 0x00007ffff6af88e4 in NS_ProcessNextEvent_P (thread=0x7fffebd04d80, mayWait=0) at nsThreadUtils.cpp:250
#23 0x00007ffff693ec1a in mozilla::ipc::MessagePump::Run (this=0x7fffebd14080, aDelegate=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/glue/MessagePump.cpp:110
#24 0x00007ffff6bd88eb in MessageLoop::RunInternal (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:219
#25 0x00007ffff6bd8870 in MessageLoop::RunHandler (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:202
#26 0x00007ffff6bd8801 in MessageLoop::Run (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:176
#27 0x00007ffff67d8fc7 in nsBaseAppShell::Run (this=0x7fffe8796500) at /home/sfink/src/TM-singlestep/widget/src/xpwidgets/nsBaseAppShell.cpp:181
#28 0x00007ffff652148d in nsAppStartup::Run (this=0x7fffe87adb00) at /home/sfink/src/TM-singlestep/toolkit/components/startup/src/nsAppStartup.cpp:191
#29 0x00007ffff54336d2 in XRE_main (argc=5, argv=0x7fffffffe258, aAppData=0x7ffff2c27080) at /home/sfink/src/TM-singlestep/toolkit/xre/nsAppRunner.cpp:3691
#30 0x0000000000401d0c in main (argc=5, argv=0x7fffffffe258) at /home/sfink/src/TM-singlestep/browser/app/nsBrowserApp.cpp:158

Here's the 'obj' parameter (at the time of executing sample.html, but from a different run than the above stacks):

object 0x7fffddc6d120
class 0x7fffde1d02c8 Window
flags: delegate own_shape has_equality hasPropertyTable
properties:
    enumerate permanent "y": slot 138
    enumerate permanent "x": slot 137
    permanent "WindowUtils": slot 136
    permanent "XPathResult": slot 135
    permanent "StyleSheetList": slot 134
    permanent "Location": slot 133
    enumerate getter shared "InstallTrigger": slot -1
    enumerate readonly "document": slot 132
    permanent "Node": slot 131
    permanent "Document": slot 130
    permanent "HTMLDocument": slot 129
    "_options": slot 128
    "netscape": slot 127
    enumerate readonly permanent "window": slot 126
    readonly permanent "XPCNativeWrapper": slot 125
    readonly permanent "Components": slot 124
    "eval": slot 123
    "Object": slot 81
    "Function": slot 82
proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x7fffddc99108>
parent null
private 0x7fffd92047b0
slots:
   0 (reserved) = undefined
   1 (reserved) = <function Object at 0x7fffddc4ae80 (JSFunction at 0x7fffddc4ae80)>
   2 (reserved) = <function Function at 0x7fffddc4ab00 (JSFunction at 0x7fffddc4ab00)>
   3 (reserved) = undefined
   4 (reserved) = undefined
   5 (reserved) = undefined
   6 (reserved) = undefined
   7 (reserved) = undefined
   8 (reserved) = undefined
   9 (reserved) = undefined
  10 (reserved) = undefined
  11 (reserved) = undefined
  12 (reserved) = undefined
  13 (reserved) = undefined
  14 (reserved) = undefined
  15 (reserved) = undefined
  16 (reserved) = undefined
  17 (reserved) = undefined
  18 (reserved) = undefined
  19 (reserved) = undefined
  20 (reserved) = undefined
  21 (reserved) = undefined
  22 (reserved) = undefined
  23 (reserved) = undefined
  24 (reserved) = undefined
  25 (reserved) = undefined
  26 (reserved) = undefined
  27 (reserved) = undefined
  28 (reserved) = undefined
  29 (reserved) = undefined
  30 (reserved) = undefined
  31 (reserved) = undefined
  32 (reserved) = undefined
  33 (reserved) = undefined
  34 (reserved) = undefined
  35 (reserved) = undefined
  36 (reserved) = undefined
  37 (reserved) = undefined
  38 (reserved) = undefined
  39 (reserved) = undefined
  40 (reserved) = undefined
  41 (reserved) = <Object at 0x7fffddc6d1b0>
  42 (reserved) = <unnamed function at 0x7fffddc4aa80 (JSFunction at 0x7fffddc4aa80)>
  43 (reserved) = undefined
  44 (reserved) = undefined
  45 (reserved) = undefined
  46 (reserved) = undefined
  47 (reserved) = undefined
  48 (reserved) = undefined
  49 (reserved) = undefined
  50 (reserved) = undefined
  51 (reserved) = undefined
  52 (reserved) = undefined
  53 (reserved) = undefined
  54 (reserved) = undefined
  55 (reserved) = undefined
  56 (reserved) = undefined
  57 (reserved) = undefined
  58 (reserved) = undefined
  59 (reserved) = undefined
  60 (reserved) = undefined
  61 (reserved) = undefined
  62 (reserved) = undefined
  63 (reserved) = undefined
  64 (reserved) = undefined
  65 (reserved) = undefined
  66 (reserved) = undefined
  67 (reserved) = undefined
  68 (reserved) = undefined
  69 (reserved) = undefined
  70 (reserved) = undefined
  71 (reserved) = undefined
  72 (reserved) = undefined
  73 (reserved) = undefined
  74 (reserved) = undefined
  75 (reserved) = undefined
  76 (reserved) = undefined
  77 (reserved) = undefined
  78 (reserved) = undefined
  79 (reserved) = undefined
  80 (reserved) = undefined
  81 (reserved) = <function Object at 0x7fffddc4ae80 (JSFunction at 0x7fffddc4ae80)>
  82 (reserved) = <function Function at 0x7fffddc4ab00 (JSFunction at 0x7fffddc4ab00)>
  83 (reserved) = undefined
  84 (reserved) = undefined
  85 (reserved) = undefined
  86 (reserved) = undefined
  87 (reserved) = undefined
  88 (reserved) = undefined
  89 (reserved) = undefined
  90 (reserved) = undefined
  91 (reserved) = undefined
  92 (reserved) = undefined
  93 (reserved) = undefined
  94 (reserved) = undefined
  95 (reserved) = undefined
  96 (reserved) = undefined
  97 (reserved) = undefined
  98 (reserved) = undefined
  99 (reserved) = undefined
 100 (reserved) = undefined
 101 (reserved) = undefined
 102 (reserved) = undefined
 103 (reserved) = undefined
 104 (reserved) = undefined
 105 (reserved) = undefined
 106 (reserved) = undefined
 107 (reserved) = undefined
 108 (reserved) = undefined
 109 (reserved) = undefined
 110 (reserved) = undefined
 111 (reserved) = undefined
 112 (reserved) = undefined
 113 (reserved) = undefined
 114 (reserved) = undefined
 115 (reserved) = undefined
 116 (reserved) = undefined
 117 (reserved) = undefined
 118 (reserved) = undefined
 119 (reserved) = undefined
 120 (reserved) = undefined
 121 (reserved) = <unnamed function at 0x7fffddc4ae00 (JSFunction at 0x7fffddc4ae00)>
 122 (reserved) = <RegExpStatics object at 0x7fffddc6d168>
 123 = <function eval at 0x7fffddc4cc80 (JSFunction at 0x7fffddc4cc80)>
 124 = <nsXPCComponents object at 0x7fffddc991b8>
 125 = <function XPCNativeWrapper at 0x7fffddc4cd00 (JSFunction at 0x7fffddc4cd00)>
 126 = <Proxy object at 0x7fffddc4b068>
 127 = <Object at 0x7fffddc6d240>
 128 = <JSOptions object at 0x7fffddc6d318>
 129 = <DOMPrototype object at 0x7fffddc992c0>
 130 = <DOMPrototype object at 0x7fffddc99318>
 131 = <DOMPrototype object at 0x7fffddc99370>
 132 = <HTMLDocument object at 0x7fffddc993c8>
 133 = <DOMPrototype object at 0x7fffddc99478>
 134 = <DOMPrototype object at 0x7fffddc99580>
 135 = <DOMPrototype object at 0x7fffddc99688>
 136 = <DOMPrototype object at 0x7fffddc99898>
 137 = undefined
 138 = undefined

And here's the second 'obj', before the 2nd evaluate:

object 0x7fffddc9a120
class 0x7fffde1d02c8 Window
flags: delegate own_shape has_equality hasPropertyTable
properties:
    enumerate permanent "f": slot 136
    enumerate permanent "y": slot 135
    enumerate permanent "x": slot 134
    permanent "Location": slot 133
    enumerate getter shared "InstallTrigger": slot -1
    enumerate readonly "document": slot 132
    permanent "Node": slot 131
    permanent "Document": slot 130
    permanent "HTMLDocument": slot 129
    "_options": slot 128
    "netscape": slot 127
    enumerate readonly permanent "window": slot 126
    readonly permanent "XPCNativeWrapper": slot 125
    readonly permanent "Components": slot 124
    "eval": slot 123
    "Object": slot 81
    "Function": slot 82
proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x7fffddc9e108>
parent null
private 0x7fffd6983cf0
slots:
   0 (reserved) = undefined
   1 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)>
   2 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)>
   3 (reserved) = undefined
   4 (reserved) = undefined
   5 (reserved) = undefined
   6 (reserved) = undefined
   7 (reserved) = undefined
   8 (reserved) = undefined
   9 (reserved) = undefined
  10 (reserved) = undefined
  11 (reserved) = undefined
  12 (reserved) = undefined
  13 (reserved) = undefined
  14 (reserved) = undefined
  15 (reserved) = undefined
  16 (reserved) = undefined
  17 (reserved) = undefined
  18 (reserved) = undefined
  19 (reserved) = undefined
  20 (reserved) = undefined
  21 (reserved) = undefined
  22 (reserved) = undefined
  23 (reserved) = undefined
  24 (reserved) = undefined
  25 (reserved) = undefined
  26 (reserved) = undefined
  27 (reserved) = undefined
  28 (reserved) = undefined
  29 (reserved) = undefined
  30 (reserved) = undefined
  31 (reserved) = undefined
  32 (reserved) = undefined
  33 (reserved) = undefined
  34 (reserved) = undefined
  35 (reserved) = undefined
  36 (reserved) = undefined
  37 (reserved) = undefined
  38 (reserved) = undefined
  39 (reserved) = undefined
  40 (reserved) = undefined
  41 (reserved) = <Object at 0x7fffddc9a1b0>
  42 (reserved) = <unnamed function at 0x7fffddce7a80 (JSFunction at 0x7fffddce7a80)>
  43 (reserved) = undefined
  44 (reserved) = undefined
  45 (reserved) = undefined
  46 (reserved) = undefined
  47 (reserved) = undefined
  48 (reserved) = undefined
  49 (reserved) = undefined
  50 (reserved) = undefined
  51 (reserved) = undefined
  52 (reserved) = undefined
  53 (reserved) = undefined
  54 (reserved) = undefined
  55 (reserved) = undefined
  56 (reserved) = undefined
  57 (reserved) = undefined
  58 (reserved) = undefined
  59 (reserved) = undefined
  60 (reserved) = undefined
  61 (reserved) = undefined
  62 (reserved) = undefined
  63 (reserved) = undefined
  64 (reserved) = undefined
  65 (reserved) = undefined
  66 (reserved) = undefined
  67 (reserved) = undefined
  68 (reserved) = undefined
  69 (reserved) = undefined
  70 (reserved) = undefined
  71 (reserved) = undefined
  72 (reserved) = undefined
  73 (reserved) = undefined
  74 (reserved) = undefined
  75 (reserved) = undefined
  76 (reserved) = undefined
  77 (reserved) = undefined
  78 (reserved) = undefined
  79 (reserved) = undefined
  80 (reserved) = undefined
  81 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)>
  82 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)>
  83 (reserved) = undefined
  84 (reserved) = undefined
  85 (reserved) = undefined
  86 (reserved) = undefined
  87 (reserved) = undefined
  88 (reserved) = undefined
  89 (reserved) = undefined
  90 (reserved) = undefined
  91 (reserved) = undefined
  92 (reserved) = undefined
  93 (reserved) = undefined
  94 (reserved) = undefined
  95 (reserved) = undefined
  96 (reserved) = undefined
  97 (reserved) = undefined
  98 (reserved) = undefined
  99 (reserved) = undefined
 100 (reserved) = undefined
 101 (reserved) = undefined
 102 (reserved) = undefined
 103 (reserved) = undefined
 104 (reserved) = undefined
 105 (reserved) = undefined
 106 (reserved) = undefined
 107 (reserved) = undefined
 108 (reserved) = undefined
 109 (reserved) = undefined
 110 (reserved) = undefined
 111 (reserved) = undefined
 112 (reserved) = undefined
 113 (reserved) = undefined
 114 (reserved) = undefined
 115 (reserved) = undefined
 116 (reserved) = undefined
 117 (reserved) = undefined
 118 (reserved) = undefined
 119 (reserved) = undefined
 120 (reserved) = undefined
 121 (reserved) = <unnamed function at 0x7fffddce7e00 (JSFunction at 0x7fffddce7e00)>
 122 (reserved) = <RegExpStatics object at 0x7fffddc9a168>
 123 = <function eval at 0x7fffddce9c80 (JSFunction at 0x7fffddce9c80)>
 124 = <nsXPCComponents object at 0x7fffddc9e1b8>
 125 = <function XPCNativeWrapper at 0x7fffddce9d00 (JSFunction at 0x7fffddce9d00)>
 126 = <Proxy object at 0x7fffddc93068>
 127 = <Object at 0x7fffddc9a240>
 128 = <JSOptions object at 0x7fffddc9a318>
 129 = <DOMPrototype object at 0x7fffddc9e2c0>
 130 = <DOMPrototype object at 0x7fffddc9e318>
 131 = <DOMPrototype object at 0x7fffddc9e370>
 132 = <HTMLDocument object at 0x7fffddc9e3c8>
 133 = <DOMPrototype object at 0x7fffddc9e478>
 134 = undefined
 135 = undefined
 136 = <function f at 0x7fffddc95200 (JSFunction at 0x7fffddc95200)>

and after the call (when the compartment has changed):

object 0x7fffddc9a120
class 0x7fffde1d02c8 Window
flags: delegate branded own_shape has_equality inDictionaryMode hasPropertyTable
properties:
    enumerate "z": slot 177
    permanent "MutationEvent": slot 176
    permanent "HTMLHeadElement": slot 175
    permanent "HTMLStyleElement": slot 174
    permanent "StyleSheetList": slot 173
    permanent "Event": slot 172
    permanent "PageTransitionEvent": slot 171
    permanent "MozURLProperty": slot 170
    enumerate permanent "location": slot 169
    permanent "Controllers": slot 168
    permanent "XULControllers": slot 167
    permanent "Crypto": slot 166
    permanent "History": slot 165
    permanent "Screen": slot 164
    enumerate readonly permanent "navigator": slot 163
    permanent "Navigator": slot 162
    permanent "OfflineResourceList": slot 161
    permanent "BarProp": slot 160
    getter setter shared "moz_indexedDB": slot -1
    permanent "IDBFactory": slot 159
    permanent "Storage": slot 158
    permanent "StorageList": slot 157
    permanent "DOMException": slot 156
    "URIError": slot 155
    "TypeError": slot 154
    "SyntaxError": slot 153
    "ReferenceError": slot 152
    "RangeError": slot 151
    "EvalError": slot 150
    "InternalError": slot 149
    "Error": slot 148
    enumerate "InstallTrigger": slot 147
    enumerate "toString": slot 146
    enumerate "getInterface": slot 145
    enumerate "constructor": slot 144
    permanent "Window": slot 143
    permanent "HTMLScriptElement": slot 142
    permanent "HTMLCollection": slot 141
    permanent "Element": slot 140
    permanent "HTMLElement": slot 139
    permanent "HTMLHtmlElement": slot 138
    permanent "WindowUtils": slot 137
    enumerate permanent "f": slot 136
    enumerate permanent "y": slot 135
    enumerate permanent "x": slot 134
    permanent "Location": slot 133
    enumerate readonly "document": slot 132
    permanent "Node": slot 131
    permanent "Document": slot 130
    permanent "HTMLDocument": slot 129
    "_options": slot 128
    "netscape": slot 127
    enumerate readonly permanent "window": slot 126
    readonly permanent "XPCNativeWrapper": slot 125
    readonly permanent "Components": slot 124
    "eval": slot 123
    "Object": slot 81
    "Function": slot 82
proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x7fffddc9e108>
parent null
private 0x7fffd6983cf0
slots:
   0 (reserved) = undefined
   1 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)>
   2 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)>
   3 (reserved) = undefined
   4 (reserved) = undefined
   5 (reserved) = undefined
   6 (reserved) = undefined
   7 (reserved) = undefined
   8 (reserved) = undefined
   9 (reserved) = undefined
  10 (reserved) = undefined
  11 (reserved) = undefined
  12 (reserved) = undefined
  13 (reserved) = undefined
  14 (reserved) = undefined
  15 (reserved) = undefined
  16 (reserved) = <function Error at 0x7fffd6b88580 (JSFunction at 0x7fffd6b88580)>
  17 (reserved) = <function InternalError at 0x7fffd6b88600 (JSFunction at 0x7fffd6b88600)>
  18 (reserved) = <function EvalError at 0x7fffd6b88680 (JSFunction at 0x7fffd6b88680)>
  19 (reserved) = <function RangeError at 0x7fffd6b88700 (JSFunction at 0x7fffd6b88700)>
  20 (reserved) = <function ReferenceError at 0x7fffd6b88780 (JSFunction at 0x7fffd6b88780)>
  21 (reserved) = <function SyntaxError at 0x7fffd6b88800 (JSFunction at 0x7fffd6b88800)>
  22 (reserved) = <function TypeError at 0x7fffd6b88880 (JSFunction at 0x7fffd6b88880)>
  23 (reserved) = <function URIError at 0x7fffd6b88900 (JSFunction at 0x7fffd6b88900)>
  24 (reserved) = undefined
  25 (reserved) = undefined
  26 (reserved) = undefined
  27 (reserved) = undefined
  28 (reserved) = undefined
  29 (reserved) = undefined
  30 (reserved) = undefined
  31 (reserved) = undefined
  32 (reserved) = undefined
  33 (reserved) = undefined
  34 (reserved) = undefined
  35 (reserved) = undefined
  36 (reserved) = undefined
  37 (reserved) = undefined
  38 (reserved) = undefined
  39 (reserved) = undefined
  40 (reserved) = undefined
  41 (reserved) = <Object at 0x7fffddc9a1b0>
  42 (reserved) = <unnamed function at 0x7fffddce7a80 (JSFunction at 0x7fffddce7a80)>
  43 (reserved) = undefined
  44 (reserved) = undefined
  45 (reserved) = undefined
  46 (reserved) = undefined
  47 (reserved) = undefined
  48 (reserved) = undefined
  49 (reserved) = undefined
  50 (reserved) = undefined
  51 (reserved) = undefined
  52 (reserved) = undefined
  53 (reserved) = undefined
  54 (reserved) = undefined
  55 (reserved) = undefined
  56 (reserved) = <Error object at 0x7fffddc9a558>
  57 (reserved) = <Error object at 0x7fffddc9a5a0>
  58 (reserved) = <Error object at 0x7fffddc9a5e8>
  59 (reserved) = <Error object at 0x7fffddc9a630>
  60 (reserved) = <Error object at 0x7fffddc9a678>
  61 (reserved) = <Error object at 0x7fffddc9a6c0>
  62 (reserved) = <Error object at 0x7fffddc9a708>
  63 (reserved) = <Error object at 0x7fffddc9a750>
  64 (reserved) = undefined
  65 (reserved) = undefined
  66 (reserved) = undefined
  67 (reserved) = undefined
  68 (reserved) = undefined
  69 (reserved) = undefined
  70 (reserved) = undefined
  71 (reserved) = undefined
  72 (reserved) = undefined
  73 (reserved) = undefined
  74 (reserved) = undefined
  75 (reserved) = undefined
  76 (reserved) = undefined
  77 (reserved) = undefined
  78 (reserved) = undefined
  79 (reserved) = undefined
  80 (reserved) = undefined
  81 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)>
  82 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)>
  83 (reserved) = undefined
  84 (reserved) = undefined
  85 (reserved) = undefined
  86 (reserved) = undefined
  87 (reserved) = undefined
  88 (reserved) = undefined
  89 (reserved) = undefined
  90 (reserved) = undefined
  91 (reserved) = undefined
  92 (reserved) = undefined
  93 (reserved) = undefined
  94 (reserved) = undefined
  95 (reserved) = undefined
  96 (reserved) = undefined
  97 (reserved) = undefined
  98 (reserved) = undefined
  99 (reserved) = undefined
 100 (reserved) = undefined
 101 (reserved) = undefined
 102 (reserved) = undefined
 103 (reserved) = undefined
 104 (reserved) = undefined
 105 (reserved) = undefined
 106 (reserved) = undefined
 107 (reserved) = undefined
 108 (reserved) = undefined
 109 (reserved) = undefined
 110 (reserved) = undefined
 111 (reserved) = undefined
 112 (reserved) = undefined
 113 (reserved) = undefined
 114 (reserved) = undefined
 115 (reserved) = undefined
 116 (reserved) = undefined
 117 (reserved) = undefined
 118 (reserved) = undefined
 119 (reserved) = undefined
 120 (reserved) = undefined
 121 (reserved) = <unnamed function at 0x7fffddce7e00 (JSFunction at 0x7fffddce7e00)>
 122 (reserved) = <RegExpStatics object at 0x7fffddc9a168>
 123 = <function eval at 0x7fffddce9c80 (JSFunction at 0x7fffddce9c80)>
 124 = <nsXPCComponents object at 0x7fffddc9e1b8>
 125 = <function XPCNativeWrapper at 0x7fffddce9d00 (JSFunction at 0x7fffddce9d00)>
 126 = <Proxy object at 0x7fffddc93068>
 127 = <Object at 0x7fffddc9a240>
 128 = <JSOptions object at 0x7fffddc9a318>
 129 = <DOMPrototype object at 0x7fffddc9e2c0>
 130 = <DOMPrototype object at 0x7fffddc9e318>
 131 = <DOMPrototype object at 0x7fffddc9e370>
 132 = <HTMLDocument object at 0x7fffddc9e3c8>
 133 = <DOMPrototype object at 0x7fffddc9e478>
 134 = 5
 135 = 3
 136 = <function f at 0x7fffddc95200 (JSFunction at 0x7fffddc95200)>
 137 = <DOMPrototype object at 0x7fffddc9e630>
 138 = <DOMPrototype object at 0x7fffddc9e738>
 139 = <DOMPrototype object at 0x7fffddc9e7e8>
 140 = <DOMPrototype object at 0x7fffddc9e898>
 141 = <DOMPrototype object at 0x7fffddc9e9a0>
 142 = <DOMPrototype object at 0x7fffddc9eb00>
 143 = <DOMPrototype object at 0x7fffddc9ec08>
 144 = <DOMPrototype object at 0x7fffddc9ec08>
 145 = <function getInterface at 0x7fffd6b83e00 (JSFunction at 0x7fffd6b83e00)>
 146 = <Proxy object at 0x7fffddc1fc38>
 147 = <Proxy object at 0x7fffddc93a90>
 148 = <function Error at 0x7fffd6b88580 (JSFunction at 0x7fffd6b88580)>
 149 = <function InternalError at 0x7fffd6b88600 (JSFunction at 0x7fffd6b88600)>
 150 = <function EvalError at 0x7fffd6b88680 (JSFunction at 0x7fffd6b88680)>
 151 = <function RangeError at 0x7fffd6b88700 (JSFunction at 0x7fffd6b88700)>
 152 = <function ReferenceError at 0x7fffd6b88780 (JSFunction at 0x7fffd6b88780)>
 153 = <function SyntaxError at 0x7fffd6b88800 (JSFunction at 0x7fffd6b88800)>
 154 = <function TypeError at 0x7fffd6b88880 (JSFunction at 0x7fffd6b88880)>
 155 = <function URIError at 0x7fffd6b88900 (JSFunction at 0x7fffd6b88900)>
 156 = <DOMPrototype object at 0x7fffddc9ecb8>
 157 = <DOMPrototype object at 0x7fffddc9edc0>
 158 = <DOMPrototype object at 0x7fffddc9eec8>
 159 = <DOMPrototype object at 0x7fffd6b1b058>
 160 = <DOMPrototype object at 0x7fffd6b1b160>
 161 = <DOMPrototype object at 0x7fffd6b1b268>
 162 = <DOMPrototype object at 0x7fffd6b1b370>
 163 = <Navigator object at 0x7fffd6b1b3c8>
 164 = <DOMPrototype object at 0x7fffd6b1b478>
 165 = <DOMPrototype object at 0x7fffd6b1b580>
 166 = <DOMPrototype object at 0x7fffd6b1b840>
 167 = <DOMPrototype object at 0x7fffd6b1b948>
 168 = <DOMPrototype object at 0x7fffd6b1b9a0>
 169 = <Proxy object at 0x7fffddc93270>
 170 = <DOMPrototype object at 0x7fffd6b1baa8>
 171 = <DOMPrototype object at 0x7fffd5153108>
 172 = <DOMPrototype object at 0x7fffd51531b8>
 173 = <DOMPrototype object at 0x7fffd51532c0>
 174 = <DOMPrototype object at 0x7fffd51533c8>
 175 = <DOMPrototype object at 0x7fffd5153528>
 176 = <DOMPrototype object at 0x7fffd5153630>
 177 = 0.333333

I couldn't get a good snapshot of when cx's compartment gets reverted from C2 back to C1, because it changes repeatedly due to cross-compartment calls. I suppose I could set a hardware watchpoint that dumps the stack and continues, so I could catch the last one, but I'm out of time to play at the moment. And gdb doesn't do very good backtraces when JM is on the stack, at least for x86_64.

    
    

    
  
if i were you, i'd do printf debugging, you should be able to print the obj pointer, cx pointer, compartment and whatever change request is floating around. after you crash you can go back and pair things up.

    
    

    
  
Here's the stack for the last time cx->compartment got reverted to C1. Hopefully it means something to somebody.

#0  JSContext::resetCompartment (this=0x7fffde414400) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:2067
#1  0x00007ffff46e9847 in JSContext::setCurrentRegs (this=0x7fffde414400, regs=0x0) at /home/sfink/src/TM-singlestep/js/src/jscntxt.h:1967
#2  0x00007ffff46fc660 in JSContext::popSegmentAndFrame (this=0x7fffde414400) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:2097
#3  0x00007ffff46f8431 in js::StackSpace::popSegmentAndFrame (this=0x7fffe9602028, cx=0x7fffde414400) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:341
#4  0x00007ffff46f8507 in js::FrameGuard::~FrameGuard (this=0x7fffffffc760, __in_chrg=<value optimized out>) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:351
#5  0x00007ffff4791822 in js::ExecuteFrameGuard::~ExecuteFrameGuard (this=0x7fffffffc760, __in_chrg=<value optimized out>) at /home/sfink/src/TM-singlestep/js/src/jscntxt.h:558
#6  0x00007ffff478ea81 in js::Execute (cx=0x7fffde414400, chain=0x7fffda5a5120, script=0x7fffdb8a1bc0, prev=0x0, flags=0, result=0x0) at /home/sfink/src/TM-singlestep/js/src/jsinterp.cpp:1016
#7  0x00007ffff46c795b in JS_EvaluateUCScriptForPrincipals (cx=0x7fffde414400, obj=0x7fffda5a5120, principals=0x7fffde248ee8, chars=0x7fffd894e2c8, length=154, filename=0x7fffe2a0f108 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=4, rval=0x0) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:4877
#8  0x00007ffff46c7739 in JS_EvaluateUCScriptForPrincipalsVersion (cx=0x7fffde414400, obj=0x7fffda5a5120, principals=0x7fffde248ee8, chars=0x7fffd894e2c8, length=154, filename=0x7fffe2a0f108 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=4, rval=0x0, version=JSVERSION_DEFAULT) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:4851
#9  0x00007ffff5d87c4c in nsJSContext::EvaluateString (this=0x7fffde5e8dd0, aScript=..., aScopeObject=0x7fffda5a5120, aPrincipal=0x7fffde248ee0, aURL=0x7fffe2a0f108 "file:///home/sfink/src/TM-singlestep/sample2.html", aLineNo=4, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fffffffcb7c) at /home/sfink/src/TM-singlestep/dom/base/nsJSEnvironment.cpp:1731
#10 0x00007ffff5ad6f1f in nsScriptLoader::EvaluateScript (this=0x7fffde2f9400, aRequest=0x7fffd89ad820, aScript=...) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptLoader.cpp:873
#11 0x00007ffff5ad6845 in nsScriptLoader::ProcessRequest (this=0x7fffde2f9400, aRequest=0x7fffd89ad820) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptLoader.cpp:772
#12 0x00007ffff5ad6517 in nsScriptLoader::ProcessScriptElement (this=0x7fffde2f9400, aElement=0x7fffddd886d0) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptLoader.cpp:718
#13 0x00007ffff5ad2ad7 in nsScriptElement::MaybeProcessScript (this=0x7fffddd886d0) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptElement.cpp:167
#14 0x00007ffff5c25d3a in nsHTMLScriptElement::MaybeProcessScript (this=0x7fffddd88660) at /home/sfink/src/TM-singlestep/content/html/content/src/nsHTMLScriptElement.cpp:583
#15 0x00007ffff5c259fe in nsHTMLScriptElement::DoneAddingChildren (this=0x7fffddd88660, aHaveNotified=1) at /home/sfink/src/TM-singlestep/content/html/content/src/nsHTMLScriptElement.cpp:510
#16 0x00007ffff5f7d2df in nsHtml5TreeOpExecutor::RunScript (this=0x7fffd89a0560, aScriptElement=0x7fffddd88660) at /home/sfink/src/TM-singlestep/parser/html/nsHtml5TreeOpExecutor.cpp:730
#17 0x00007ffff5f7c920 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x7fffd89a0560) at /home/sfink/src/TM-singlestep/parser/html/nsHtml5TreeOpExecutor.cpp:525
#18 0x00007ffff5f83820 in nsHtml5ExecutorFlusher::Run() () from /home/sfink/src/TM-singlestep/obj/dist/bin/libxul.so
#19 0x00007ffff6b683fc in nsThread::ProcessNextEvent (this=0x7fffebd04d80, mayWait=0, result=0x7fffffffd5fc) at /home/sfink/src/TM-singlestep/xpcom/threads/nsThread.cpp:626
#20 0x00007ffff6af1fb4 in NS_ProcessNextEvent_P (thread=0x7fffebd04d80, mayWait=0) at nsThreadUtils.cpp:250
#21 0x00007ffff693794a in mozilla::ipc::MessagePump::Run (this=0x7fffebd14080, aDelegate=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/glue/MessagePump.cpp:110
#22 0x00007ffff6bd1f13 in MessageLoop::RunInternal (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:219
#23 0x00007ffff6bd1e98 in MessageLoop::RunHandler (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:202
#24 0x00007ffff6bd1e29 in MessageLoop::Run (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:176
#25 0x00007ffff67d129d in nsBaseAppShell::Run (this=0x7ffff2cfacc0) at /home/sfink/src/TM-singlestep/widget/src/xpwidgets/nsBaseAppShell.cpp:192
#26 0x00007ffff651801d in nsAppStartup::Run (this=0x7fffe90b39c0) at /home/sfink/src/TM-singlestep/toolkit/components/startup/src/nsAppStartup.cpp:191
#27 0x00007ffff542218a in XRE_main (argc=5, argv=0x7fffffffe258, aAppData=0x7ffff2c27080) at /home/sfink/src/TM-singlestep/toolkit/xre/nsAppRunner.cpp:3691
#28 0x0000000000401d0c in main (argc=5, argv=0x7fffffffe258) at /home/sfink/src/TM-singlestep/browser/app/nsBrowserApp.cpp:158

I don't know anything about this stuff, but it sort of looks like the cx->compartment reversion would be fine if script were truly done executing. But LAST_FRAME_CHECKS can still execute code, so LAST_FRAME_CHECKS should somehow be within the scope of the ExecuteFrameGuard.

Or maybe I'm just totally off base. I don't understand why it's so hard to trigger.

    
  
Blocks: compartments

    
  
blocking2.0: ? → final+
Whiteboard: [compartments][firebug-p1]

    
  
Depends on: 618871

    
  
Keywords: regression

    
  
Assignee: general → sphink

    
    

    
  
As of 4ed3025c0be2, the above steps do not appear to crash anymore. With no patches, I was able to trigger the assert from 617870 by hitting random buttons, but with the fix from that applied I was unable to trigger any crash or assert at all.

Are you still able to reproduce this on tip?

    
    

    
  
This can probably go under 619025 as this is more of a systemic issue.

    
    

    
  
This looks like the result of a broken patch to fix 609141 , I have a fix in that bug and I can't seem to get any more compartment mismatches.

    
    

    
  
Now that I untangled my hg tree (I somehow managed to set my default to pull from myself!), I've updated and have 4ed3025c0be2. Currently, I'm at 9aa8c290f633.

I still get the same crash with what I thought were the same STR. I'll try applying your bug 609141 fix.

    
    

    
  
Try with both patches from bug 617870 and bug 609141, I believe both of those cover all compartment mismatch issues.

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Proposed patch v0 (obsolete)
        — Splinter Review
      

    


  
This is the patches from bug 617870 and bug 614131 merged, as they would otherwise need to depend on each other. This should resolve this problem as well.
Assignee: sphink → adrake
Status: NEW → ASSIGNED

    
  
Blocks: 617870

    
  
Blocks: 609141

    
    

    
  
Comment on attachment 497596 [details] [diff] [review]
Proposed patch v0

You can get the script object and enter with that (nice patch otherwise, thanks!).

        Attachment #497596 -
        Flags: review-

    
    

    
  
We can't get the script object since it might not exist, so we do that horrible dance to create a dummy global object for the scope chain.

    
  

        Attachment #497596 -
        Flags: review?(jorendorff)

    
    

    
  
Unfortunately, the crash is still 100% reproducible for me with this patch applied. I think this patch is good and still necessary, by the way, but it unfortunately doesn't fix this particular bug.

adrake: I finally figured out one of the problems I was having yesterday, where I was not stopping at any breakpoints -- I was using a profile that pointed to my modified copy of firebug1.7, which made calls to a new JSD API entry I had added (enableSingleStepping). But I was running with unmodified TM + your patch, so that API entry didn't exist. Doh!

When running with an unmodified firebug1.7, I still see the crash described in this bug, 100% of the time. Well, unless I hit the other bug first:

I also still get the other bug (assertion: *pc == JSOP_GETARG), which still happens if and only if I am used a wired connection. See bug 619369.

    
    

    
  
Comment on attachment 497596 [details] [diff] [review]
Proposed patch v0

I wish I could think of a way around this, but let's live with it for now. Thanks for taking this.

        Attachment #497596 -
        Flags: review?(jorendorff) → review+
blocking2.0: final+ → beta9+
Depends on: 618549

    
    

    
  


  
Alright, I've got it nailed down. Here's the failure mode:

- Enter a nested event loop (such as a "breakpoint hit" context in firebug).
- Try to go to navigate to any page in the same tab.
- The following partial stack happens when the event triggering the navigation is serviced:

#0  JS_SetGlobalObject (cx=0x7fffde6c2400, obj=0x7fffddcd5068) at /home/adrake/src/tm/js/src/jsapi.cpp:1371
#1  0x00007ffff59206ff in nsJSContext::SetOuterObject (this=0x7fffde6bd2e0, aOuterObject=0x7fffddcd5068) at /home/adrake/src/tm/dom/base/nsJSEnvironment.cpp:2657
#2  0x00007ffff593fe3d in nsGlobalWindow::SetNewDocument (this=0x7fffde6c2000, aDocument=0x7fffd838a800, aState=0x0, aForceReuseInnerWindow=0)
    at /home/adrake/src/tm/dom/base/nsGlobalWindow.cpp:2072
#3  0x00007ffff52b5691 in DocumentViewerImpl::InitInternal (this=0x7fffd8144900, aParentWidget=0x0, aState=0x0, aBounds=..., aDoCreation=1, aNeedMakeCX=1)
    at /home/adrake/src/tm/layout/base/nsDocumentViewer.cpp:956
#4  0x00007ffff52b4370 in DocumentViewerImpl::Init (this=0x7fffd8144900, aParentWidget=0x0, aBounds=...) at /home/adrake/src/tm/layout/base/nsDocumentViewer.cpp:693
#5  0x00007ffff5fcbdd3 in nsDocShell::SetupNewViewer (this=0x7fffde6c1800, aNewViewer=0x7fffd8144900) at /home/adrake/src/tm/docshell/base/nsDocShell.cpp:7622
#6  0x00007ffff5fc4143 in nsDocShell::Embed (this=0x7fffde6c1800, aContentViewer=0x7fffd8144900, aCommand=0x7ffff70c3903 "", aExtraInfo=0x0)
    at /home/adrake/src/tm/docshell/base/nsDocShell.cpp:5716
#7  0x00007ffff5fcab7c in nsDocShell::CreateContentViewer (this=0x7fffde6c1800, aContentType=0x7fffd82c6048 "text/html", request=0x7fffd811af00, aContentHandler=0x7fffd86892b0)
    at /home/adrake/src/tm/docshell/base/nsDocShell.cpp:7409
#8  0x00007ffff5fe676c in nsDSURIContentListener::DoContent (this=0x7fffde6189c0, aContentType=0x7fffd82c6048 "text/html", aIsContentPreferred=0, request=0x7fffd811af00, 
    aContentHandler=0x7fffd86892b0, aAbortProcess=0x7fffffff5eac) at /home/adrake/src/tm/docshell/base/nsDSURIContentListener.cpp:148
#9  0x00007ffff5feef14 in nsDocumentOpenInfo::TryContentListener (this=0x7fffd8689290, aListener=0x7fffde6189c0, aChannel=0x7fffd811af00)
    at /home/adrake/src/tm/uriloader/base/nsURILoader.cpp:757
#10 0x00007ffff5fedb09 in nsDocumentOpenInfo::DispatchContent (this=0x7fffd8689290, request=0x7fffd811af00, aCtxt=0x0) at /home/adrake/src/tm/uriloader/base/nsURILoader.cpp:455
#11 0x00007ffff5fed0ab in nsDocumentOpenInfo::OnStartRequest (this=0x7fffd8689290, request=0x7fffd811af00, aCtxt=0x0) at /home/adrake/src/tm/uriloader/base/nsURILoader.cpp:295
#12 0x00007ffff4ff8a11 in nsBaseChannel::OnStartRequest (this=0x7fffd811aeb0, request=0x7fffd85c1780, ctxt=0x0) at /home/adrake/src/tm/netwerk/base/src/nsBaseChannel.cpp:712
#13 0x00007ffff500d7f4 in nsInputStreamPump::OnStateStart (this=0x7fffd85c1780) at /home/adrake/src/tm/netwerk/base/src/nsInputStreamPump.cpp:441
#14 0x00007ffff500d61a in nsInputStreamPump::OnInputStreamReady (this=0x7fffd85c1780, stream=0x7fffd85b9cf8) at /home/adrake/src/tm/netwerk/base/src/nsInputStreamPump.cpp:397
#15 0x00007ffff66cc225 in nsInputStreamReadyEvent::Run (this=0x7fffd82be780) at /home/adrake/src/tm/xpcom/io/nsStreamUtils.cpp:112
#16 0x00007ffff66f781e in nsThread::ProcessNextEvent (this=0x7fffeb202d80, mayWait=1, result=0x7fffffff658c) at /home/adrake/src/tm/xpcom/threads/nsThread.cpp:626
#17 0x00007ffff6681268 in NS_ProcessNextEvent_P (thread=0x7fffeb202d80, mayWait=1) at nsThreadUtils.cpp:250
#18 0x00007ffff61cdeea in jsdService::EnterNestedEventLoop (this=0x7fffe375f860, callback=0x7fffd922a0a0, _rval=0x7fffffff6858) at /home/adrake/src/tm/js/jsd/jsd_xpc.cpp:3021

As part of preparing the tab to load a new page, it sets a new global object on the JSContext. This new global object is in a different compartment.

- When the event finishes servicing, the nested event loop terminates.
- The call to the top level original page script Execute returns. As the stack is now empty, the context compartment is loaded from the global object. 
- Code beyond the Execute call attempts to access a value, say:

#15 0x00007ffff47ab12b in js_ReportUncaughtException (cx=0x7fffe4e0f400) at
/home/sfink/src/.TM-3/js/src/jsexn.cpp:1243

- Death by compartment mismatch assertion on the attempt to stringify the exception:

#8  0x00007ffff4800f64 in js::CallJSNative (cx=0x7fffe4e0f400,
native=0x7ffff47a9e08 <exn_toString(JSContext*, uintN, js::Value*)>, argc=0,
vp=0x7fffe84fd038) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:683

The quickest workaround is to add wrapException after js::Execute in JS_EvaluateUCScriptForPrincipals and JS_ExecuteScript so we can never trip and die from being forced into a new compartment from a nested event loop. Attached is a patch that does exactly this.

This is probably not a complete fix -- does the return value need to be wrapped as well?

(This fixes the issue described for me. sfink?)

    
  

        Attachment #497596 -
        Attachment is obsolete: true

    
    

    
  
adrake is awesome! Thanks!

Yes, it fixes it for me. (Nice to have a 100% reproducible crash for once.)

What I understand of your explanation makes sense to me and matches what I found when digging through the problem in the debugger. I'm still too shaky on the interaction between contexts, compartments, and globals to connect the dots like you did, though.

Or to determine whether this is the right fix. It seems fine for the exception parts. Wrapping the return value with a doomed compartment seems iffier. It kind of feels like the problem is in

"As the stack is now empty, the context compartment is loaded from the global object."

The JS stack is empty, but it's not really quite "done". There's some C++ stack that doesn't get taken into account.

But I don't know what I'm talking about, so I'll shut up and let someone who does offer an opinion.

mrbkap? gal?
Whiteboard: [compartments][firebug-p1] → [compartments][firebug-p1][hardblocker]

        Attachment #497596 -
        Flags: review?(gal)

        Attachment #498051 -
        Flags: review?(gal)

    
  
blocking2.0: beta9+ → betaN+

    
  
Blocks: compartmentGC

    
    

    
  
Comment on attachment 498051 [details] [diff] [review]
WIP fix for crash described in comments

># HG changeset patch
># Parent a1dc2018b3e3b4d959435c83d596ded9649a556f
>diff -r a1dc2018b3e3 -r 99232cc00a8a js/src/jsapi.cpp
>--- a/js/src/jsapi.cpp	Wed Dec 15 13:11:30 2010 -0800
>+++ b/js/src/jsapi.cpp	Thu Dec 16 00:35:18 2010 -0800
>@@ -4928,6 +4928,7 @@
>     /* This should receive only scripts handed out via the JSAPI. */
>     JS_ASSERT(script->u.object);
>     ok = Execute(cx, obj, script, NULL, 0, Valueify(rval));
>+    cx->compartment->wrapException(cx);
>     LAST_FRAME_CHECKS(cx, ok);
>     return ok;
> }
>@@ -4975,6 +4976,7 @@
>         return JS_FALSE;
>     }
>     ok = Execute(cx, obj, script, NULL, 0, Valueify(rval));
>+    cx->compartment->wrapException(cx);
>     LAST_FRAME_CHECKS(cx, ok);
>     js_DestroyScript(cx, script);
>     return ok;

This is not the right place to do this. Lets dig deeper. The invariant cx->compartment == cx->exception->compartment() must never be violated. Where did that happen? (note: I just fixed a related bug, watch out for dups).

        Attachment #498051 -
        Flags: review?(gal) → review-

    
    

    
  
I haven't actually tried a run watching specifically that, but just to recap what I *think* is happening:

1. you're on page 1
2. you navigate to page 2 while page 1 still has stuff on the stack
3. while returning from that stack, an exception is set (with cx->exception->compartment() set to page 1's compartment, I suppose)
4. when the stack is emptied, cx->compartment is switched to page 2's compartment
5. LAST_FRAME_CHECKS observes the compartment mismatch

Only it doesn't normally happen; I haven't been able to reproduce without following the exact STR in this bug.

I'll try it again, taking note of cx->exception->compartment(). (I didn't realize that's where exceptions hang off.)

    
    

    
  
Ok, I think resetCompartment() doesn't wrap exception then. I just fixed this bug. The patch is up for review.

https://bugzilla.mozilla.org/show_bug.cgi?id=621845

Want to try that patch and if it fixes this bug, please dup it? (and thanks for looking into this!)

    
    

    
  
I'll have to try it tomorrow. I applied the patch and recompiled just js/src/, and I'm getting an immediate crash. But I noticed that patch touches more stuff; I just don't have time right now to do a full rebuild. I'm attaching the stack of the crash in the remote chance that it's helpful.

    
    

    
  

      
      
      
      

        Attached file
          
        Latest crash
      

    


  
The full rebuild fixed that crash I posted, so ignore it.

The patch moves the problem. Now it gets an assertion failure in jsd_GetException() instead, called from a Firebug-installed exception observer.

*** Compartment mismatch 0x7fffe938f000 vs. 0x7fffe95bc000

Stack is attached. 0x7fffe938f000 is page 2's compartment. 0x7fffe95bc000 is the compartment on the exception. (0x7fffdd811000 is JSD's dumbContext compartment, but it doesn't show up.) I assume 0x7fffe95bc000 is page 1's compartment?

        Attachment #501613 -
        Attachment is obsolete: true

    
    

    
  
Steve, that sounds much better. Sounds like you have to enter that compartment there and possible wrap the value as you leave the compartment.

    
    

    
  
I'm not so sure of that. I don't see anywhere in the JSD stuff where I could wrap it usefully. I think it's just reporting a preexisting compartment mismatch between the context and its exception.

Specifically, what appears to be happening is that we do a nsXPCWrappedJSClass::CallMethod. Upon entry, there's a pending exception in the context (this is invoked from jsds_ErrorHookProc). During the execution of the method, cx->compartment gets changed. That's enough to make it fall down go boom, because CallMethod has an AutoScriptEvaluate RAII that saves and restores the exception state. But the exception state being restored is from the old context.

If I hack JS_RestoreExceptionState to wrap with the new compartment, the crash goes away. But that feels like it may be a pretty big hammer.

Alternatively, I could make jsds_ErrorHookProc save and restore the exception, rewrapping if needed. I'm not sure if I would need to do it for every hook call, though. (Because any hook call can spin a nested event loop, which can result in a page navigation, which can result in the context's compartment changing.)

Yeah, I tried that, and just died a little further along. Oh, yuck -- I'd need to do it in the JSD C code.

Or should I perhaps do it in AutoScriptEvaluate? I'll try that next. That's probably the least messy.

Related question: in AutoCompartment::enter(), why does it abort if wrapException() returns false? (it undoes its work and returns an error if (!pushDummyFrame() || !wrapException())

    
    

    
  

      
      
      
      

        Attached patch
          
          
        undo wrap on failure (obsolete)
        — Splinter Review
      

    


  
AutoCompartment::enter was wrapping the exception for the destination compartment, however, since an exception was already pending, it fails to enter, which means AutoCompartment::leave() doesn't get called, which means the exception is left dangling in the wrong compartment.

Without this fix, I am able to repro the assert as described in comment 18; with the patch it works.

        Attachment #501876 -
        Flags: review?(gal)

    
    

    
  
Steve, does this fix the asserts you were seeing as well?

    
    

    
  
Comment on attachment 501876 [details] [diff] [review]
undo wrap on failure

This needs a comment as well, and a (void) to explicitly state with a bold warning that we ignore a return value here.

        Attachment #501876 -
        Flags: review?(gal) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        better fixSplinter Review
      

    


  
That's it, this wrapException is a confusing interface (e.g., bug 621845 comment 13).  This patch takes away its return value and, surprise, I saw some further simplifications that can be made.

I also took out the wasSane check b/c, as Andreas pointed out, it can also lead to debug-only compartment mismatches.

        Attachment #501876 -
        Attachment is obsolete: true

        Attachment #501905 -
        Flags: review?(gal)

    
  

        Attachment #501905 -
        Flags: review?(gal) → review+

    
    

    
  
sfink: fwiw, I had a patch to change jsd to .cpp I think it got lost in one of my tree shuffles, but with my module owner hat on I'm willing to endorse bug which does this.

    
    

    
  
timeless, do you remember why we didn't switch jsd to C++ earlier? was there a technical reason?

    
    

    
  
(In reply to comment #29)
> Created attachment 501876 [details] [diff] [review]
> undo wrap on failure
> 
> AutoCompartment::enter was wrapping the exception for the destination
> compartment, however, since an exception was already pending, it fails to
> enter, which means AutoCompartment::leave() doesn't get called, which means the
> exception is left dangling in the wrong compartment.
> 
> Without this fix, I am able to repro the assert as described in comment 18;
> with the patch it works.

Sorry for the delay. Yes, it works with this patch for me too.

I can't believe I was staring at the exact same chunk of code but didn't see it.

One remaining question, though -- if AutoCompartment::enter fails because an exception is pending, then is that going to break JSD's ability to run hooks when exceptions are thrown?

    
    

    
  
Good question, I was wondering about the semantics I was preserving...

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/63538367f9aa
Whiteboard: [compartments][firebug-p1][hardblocker] → [compartments][firebug-p1][hardblocker] fixed-in-tracemonkey

    
    

    
  
http://hg.mozilla.org/mozilla-central/rev/63538367f9aa
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED

    
    

    
  
gal: yes, i couldn't get reviewers for anything in jsd. it's called starvation.

    
    

    
  
(In reply to comment #39)
> gal: yes, i couldn't get reviewers for anything in jsd. it's called starvation.

I do jsd reviews. Try me next time.

(I kinda suck at feedback processing. I ignore sr? these days.)

/be

    
    

    
  
Comment on attachment 497596 [details] [diff] [review]
Proposed patch v0

Cleaning up ancient review requests.

        Attachment #497596 -
        Flags: review?(gal)

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: