Closed Bug 634236 Opened 13 years ago Closed 13 years ago

Crash [@ JSCompartment::wrap] or "Assertion failure: isProxy(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- betaN+

People

(Reporter: gkw, Assigned: gal)

References

Details

(5 keywords, Whiteboard: [ccbr][hardblocker][has patch], fixed-in-tracemonkey)

Crash Data

Attachments

(2 files)

more info
6.82 KB, text/plain
Details
patch
645 bytes, patch
mrbkap
: review+
Details | Diff | Splinter Review
Attached file more info 
(eval("\
  (function(){\
    b = {};\
    b.__proto__=evalcx('split');\
    print(b)\
    }\
  )\
"))()

asserts js debug shell on TM changeset e25c8949931d without -m nor -j at Assertion failure: isProxy(), and crashes js opt shell at JSCompartment::wrap.


autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   62381:f8bec3eead64
user:        Andreas Gal
date:        Mon Feb 14 14:19:36 2011 -0800
summary:     Bug 633879 - Stop wrappers from holding old scopes alive. r=mrbkap@gmail.com,jst@mozilla.com, a=blocker
Recent regression, blocking, hard.
Assignee: general → gal
blocking2.0: ? → betaN+
Whiteboard: [ccbr] → [ccbr][hardblocker]
Will work on it immediately.
Attached patch patchSplinter Review 

    
  

        Attachment #512534 -
        Flags: review?(mrbkap)

    
  
Whiteboard: [ccbr][hardblocker] → [ccbr][hardblocker][has patch]

    
    

    
  
Dumb bug, sorry.

        Attachment #512534 -
        Flags: review?(mrbkap) → review+

    
    

    
  
Thanks a ton for the quick turn-around Gary. This helped tremendously.

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/532ee628dc4f
Whiteboard: [ccbr][hardblocker][has patch] → [ccbr][hardblocker][has patch], fixed-in-tracemonkey
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED

    
    

    
  
Comment on attachment 512534 [details] [diff] [review]
patch

>diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
>--- a/js/src/jscompartment.cpp
>+++ b/js/src/jscompartment.cpp
>@@ -175,17 +175,18 @@ JSCompartment::arenaListsAreEmpty()
>            return false;
>   }
>   return true;
> }
> 
> static bool
> IsCrossCompartmentWrapper(JSObject *wrapper)
> {
>-    return !!(JSWrapper::wrapperHandler(wrapper)->flags() & JSWrapper::CROSS_COMPARTMENT);
>+    return wrapper->isWrapper() &&
>+           !!(JSWrapper::wrapperHandler(wrapper)->flags() & JSWrapper::CROSS_COMPARTMENT);

Nit: if it's a universal predicate as the type of wrapper implies, s/wrapper/obj/g

/be
Crash Signature: [@ JSCompartment::wrap]

    
    

    
  
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: