Closed Bug 650618 Opened 13 years ago Closed 13 years ago

Crash [@ js_ErrorToException] or "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal(),"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla8

People

(Reporter: gkw, Assigned: luke)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [js-triage-done][inbound])

Crash Data

Attachments

(2 files)

stack
4.12 KB, text/plain
Details
give xml objects a parent
2.48 KB, patch
Waldo
: review+
Details | Diff | Splinter Review
Attached file stack 
print(evalcx("#1=@o"))

asserts js debug shell on TM changeset 242947d76f73 without -m nor -j at Assertion failure: obj->isGlobal(),
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   67971:f2dca3c21175
user:        Luke Wagner
date:        Fri Apr 08 10:52:48 2011 -0700
summary:     Bug 602994 - Preparatory syntactic cleanup (r=waldo)
Blocks: 602994
Pre-existing bug (or not?) caught by new assertions.  The class of the object-with-null-parent-but-not-global is js_AttributeNameClass.  Hey, Waldo is already cc'd!
No longer blocks: 602994
Which follows from the fact that NewXMLAttributeName passes NULL as parent.  Looks like other XML things too.  Can we just give these suckers JS_GetGlobalForScopeChain as parent or do XML things really want NULL parents?
This now asserts at:

Assertion failure: isGlobal(),
Summary: "Assertion failure: obj->isGlobal()," → "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal(),"
I'd expect we can give them regular parents like everything else.
Comment 0 also crashes js opt shell without any CLI arguments at js_ErrorToException on TM changeset f59568ec0513
Crash Signature: [@ js_ErrorToException]
Summary: "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal()," → Crash [@ js_ErrorToException] or "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal(),"
Whiteboard: js-triage-needed
Oops, let this drop.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #545404 - Flags: review?(jwalden+bmo)
Whiteboard: js-triage-needed → js-triage-done
Comment on attachment 545404 [details] [diff] [review]
give xml objects a parent

Review of attachment 545404 [details] [diff] [review]:
-----------------------------------------------------------------

It's facially possible for GetGlobalForScopeChain to return null, so add null-checks to the calls you're adding, just in case it's possible that might be hit.  (It doesn't seem productive to actually check whether that possibility is real, just for E4X.)
Attachment #545404 - Flags: review?(jwalden+bmo) → review+
I don't think that its actually possible for GetGlobalForScopeChain to return NULL at these sites since, even if cx->globalObject is left NULL, entering a compartment (which must be done to be executing any of this code) will push a dummy frame which provides the scope chain.
I took the liberty of backing out this patch from inbound <http://hg.mozilla.org/integration/mozilla-inbound/rev/66fd359c514e> because I seriously question if we're going to remove the DOM Worker support for at least a while!
In my defense, it all looked fine before the pull rebase :/
(In reply to comment #11)
> In my defense, it all looked fine before the pull rebase :/

Yeah, hg rebase still has some bugs, I guess.  Also, you should reland your patch.  :-)
http://hg.mozilla.org/integration/mozilla-inbound/rev/777a3c916936
Whiteboard: js-triage-done → [js-triage-done][inbound]
http://hg.mozilla.org/mozilla-central/rev/777a3c916936
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
E4X has been removed, not adding this test.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: