Closed Bug 643670 Opened 9 years ago Closed 9 years ago

TI: "Assertion failure: script->compartment->types.inferenceDepth,"

Categories

(Core :: JavaScript Engine, defect, critical)

x86
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

Attached file stack
o3 = evalcx("split")
function f3(o) {
    try {
        new o
    } catch(e) {}
}
function f16(o) {
    Object.getOwnPropertyNames(o);
    o.__defineGetter__("prototype", function() {})
}
for (;;) {
    new f3(o3);
    f16(o3)
}

asserts js debug shell on JM changeset 55f463c562d4 with -m, -a and -n at Assertion failure: script->compartment->types.inferenceDepth
In a couple places we call js_GetScriptedCaller to update its types, which can get a script in another compartment if there was a cross-compartment call.  Watch for this, and also add assertions that we don't try to analyze scripts where the script->compartment != cx->compartment.

This picked up such an instance in JS_ClearTrap, which may recompile a script from a different compartment.  The patch updates cx->compartment around this call (what's the right way to do this?), not sure if this should also go into TM.

http://hg.mozilla.org/projects/jaegermonkey/rev/75906fcd8426
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.