Closed
Bug 634236
Opened 15 years ago
Closed 15 years ago
Crash [@ JSCompartment::wrap] or "Assertion failure: isProxy(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
| Tracking | Status | |
|---|---|---|
| blocking2.0 | --- | betaN+ |
People
(Reporter: gkw, Assigned: gal)
References
Details
(5 keywords, Whiteboard: [ccbr][hardblocker][has patch], fixed-in-tracemonkey)
Crash Data
Attachments
(2 files)
|
6.82 KB,
text/plain
|
Details | |
|
645 bytes,
patch
|
mrbkap
:
review+
|
Details | Diff | Splinter Review |
(eval("\
(function(){\
b = {};\
b.__proto__=evalcx('split');\
print(b)\
}\
)\
"))()
asserts js debug shell on TM changeset e25c8949931d without -m nor -j at Assertion failure: isProxy(), and crashes js opt shell at JSCompartment::wrap.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 62381:f8bec3eead64
user: Andreas Gal
date: Mon Feb 14 14:19:36 2011 -0800
summary: Bug 633879 - Stop wrappers from holding old scopes alive. r=mrbkap@gmail.com,jst@mozilla.com, a=blocker
|
||
Comment 1•15 years ago
|
||
Recent regression, blocking, hard.
Assignee: general → gal
blocking2.0: ? → betaN+
Whiteboard: [ccbr] → [ccbr][hardblocker]
|
Assignee | |
Comment 2•15 years ago
|
||
Will work on it immediately.
|
|
Assignee | |
Comment 3•15 years ago
|
||
|
|
Assignee | |
Updated•15 years ago
|
Attachment #512534 -
Flags: review?(mrbkap)
|
|
Assignee | |
Updated•15 years ago
|
Whiteboard: [ccbr][hardblocker] → [ccbr][hardblocker][has patch]
|
|
Assignee | |
Comment 4•15 years ago
|
||
Dumb bug, sorry.
|
||
Updated•15 years ago
|
Attachment #512534 -
Flags: review?(mrbkap) → review+
|
|
Assignee | |
Comment 5•15 years ago
|
||
Thanks a ton for the quick turn-around Gary. This helped tremendously.
|
|
Assignee | |
Comment 6•15 years ago
|
||
Whiteboard: [ccbr][hardblocker][has patch] → [ccbr][hardblocker][has patch], fixed-in-tracemonkey
|
|
||
Comment 7•15 years ago
|
||
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/532ee628dc4f
|
|
||
Updated•15 years ago
|
Status: NEW → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 8•15 years ago
|
||
Comment on attachment 512534 [details] [diff] [review]
patch
>diff --git a/js/src/jscompartment.cpp b/js/src/jscompartment.cpp
>--- a/js/src/jscompartment.cpp
>+++ b/js/src/jscompartment.cpp
>@@ -175,17 +175,18 @@ JSCompartment::arenaListsAreEmpty()
> return false;
> }
> return true;
> }
>
> static bool
> IsCrossCompartmentWrapper(JSObject *wrapper)
> {
>- return !!(JSWrapper::wrapperHandler(wrapper)->flags() & JSWrapper::CROSS_COMPARTMENT);
>+ return wrapper->isWrapper() &&
>+ !!(JSWrapper::wrapperHandler(wrapper)->flags() & JSWrapper::CROSS_COMPARTMENT);
Nit: if it's a universal predicate as the type of wrapper implies, s/wrapper/obj/g
/be
|
||
Updated•14 years ago
|
Crash Signature: [@ JSCompartment::wrap]
|
||
Comment 9•13 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•