Closed Bug 643670 Opened 14 years ago Closed 14 years ago

TI: "Assertion failure: script->compartment->types.inferenceDepth,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

stack
8.50 KB, text/plain
Details
Attached file stack 
o3 = evalcx("split")
function f3(o) {
    try {
        new o
    } catch(e) {}
}
function f16(o) {
    Object.getOwnPropertyNames(o);
    o.__defineGetter__("prototype", function() {})
}
for (;;) {
    new f3(o3);
    f16(o3)
}

asserts js debug shell on JM changeset 55f463c562d4 with -m, -a and -n at Assertion failure: script->compartment->types.inferenceDepth
In a couple places we call js_GetScriptedCaller to update its types, which can get a script in another compartment if there was a cross-compartment call.  Watch for this, and also add assertions that we don't try to analyze scripts where the script->compartment != cx->compartment.

This picked up such an instance in JS_ClearTrap, which may recompile a script from a different compartment.  The patch updates cx->compartment around this call (what's the right way to do this?), not sure if this should also go into TM.

http://hg.mozilla.org/projects/jaegermonkey/rev/75906fcd8426
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: