Closed Bug 643670 Opened 14 years ago Closed 14 years ago

TI: "Assertion failure: script->compartment->types.inferenceDepth,"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, testcase)

Attachments

(1 file)

stack
8.50 KB, text/plain
Details
Attached file stack
o3 = evalcx("split") function f3(o) { try { new o } catch(e) {} } function f16(o) { Object.getOwnPropertyNames(o); o.__defineGetter__("prototype", function() {}) } for (;;) { new f3(o3); f16(o3) } asserts js debug shell on JM changeset 55f463c562d4 with -m, -a and -n at Assertion failure: script->compartment->types.inferenceDepth
In a couple places we call js_GetScriptedCaller to update its types, which can get a script in another compartment if there was a cross-compartment call. Watch for this, and also add assertions that we don't try to analyze scripts where the script->compartment != cx->compartment. This picked up such an instance in JS_ClearTrap, which may recompile a script from a different compartment. The patch updates cx->compartment around this call (what's the right way to do this?), not sure if this should also go into TM. http://hg.mozilla.org/projects/jaegermonkey/rev/75906fcd8426
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: