Crash [@ js_ErrorToException] or "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal(),"

RESOLVED FIXED in mozilla8

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: gkw, Assigned: luke)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla8
x86
Linux
assertion, regression, testcase
Points:
---
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js-triage-done][inbound], crash signature)

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 526573 [details]
stack

print(evalcx("#1=@o"))

asserts js debug shell on TM changeset 242947d76f73 without -m nor -j at Assertion failure: obj->isGlobal(),
(Reporter)

Comment 1

6 years ago
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   67971:f2dca3c21175
user:        Luke Wagner
date:        Fri Apr 08 10:52:48 2011 -0700
summary:     Bug 602994 - Preparatory syntactic cleanup (r=waldo)
Blocks: 602994
(Assignee)

Comment 2

6 years ago
Pre-existing bug (or not?) caught by new assertions.  The class of the object-with-null-parent-but-not-global is js_AttributeNameClass.  Hey, Waldo is already cc'd!
No longer blocks: 602994
(Assignee)

Comment 3

6 years ago
Which follows from the fact that NewXMLAttributeName passes NULL as parent.  Looks like other XML things too.  Can we just give these suckers JS_GetGlobalForScopeChain as parent or do XML things really want NULL parents?
(Reporter)

Comment 4

6 years ago
This now asserts at:

Assertion failure: isGlobal(),
Summary: "Assertion failure: obj->isGlobal()," → "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal(),"
I'd expect we can give them regular parents like everything else.
(Reporter)

Comment 6

6 years ago
Comment 0 also crashes js opt shell without any CLI arguments at js_ErrorToException on TM changeset f59568ec0513
Crash Signature: [@ js_ErrorToException]
Summary: "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal()," → Crash [@ js_ErrorToException] or "Assertion failure: obj->isGlobal()," or "Assertion failure: isGlobal(),"
Whiteboard: js-triage-needed
(Assignee)

Comment 7

6 years ago
Created attachment 545404 [details] [diff] [review]
give xml objects a parent

Oops, let this drop.
Assignee: general → luke
Status: NEW → ASSIGNED
Attachment #545404 - Flags: review?(jwalden+bmo)
(Assignee)

Updated

6 years ago
Whiteboard: js-triage-needed → js-triage-done
Comment on attachment 545404 [details] [diff] [review]
give xml objects a parent

Review of attachment 545404 [details] [diff] [review]:
-----------------------------------------------------------------

It's facially possible for GetGlobalForScopeChain to return null, so add null-checks to the calls you're adding, just in case it's possible that might be hit.  (It doesn't seem productive to actually check whether that possibility is real, just for E4X.)
Attachment #545404 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 9

6 years ago
I don't think that its actually possible for GetGlobalForScopeChain to return NULL at these sites since, even if cx->globalObject is left NULL, entering a compartment (which must be done to be executing any of this code) will push a dummy frame which provides the scope chain.
I took the liberty of backing out this patch from inbound <http://hg.mozilla.org/integration/mozilla-inbound/rev/66fd359c514e> because I seriously question if we're going to remove the DOM Worker support for at least a while!
(Assignee)

Comment 11

6 years ago
In my defense, it all looked fine before the pull rebase :/
(In reply to comment #11)
> In my defense, it all looked fine before the pull rebase :/

Yeah, hg rebase still has some bugs, I guess.  Also, you should reland your patch.  :-)
(Assignee)

Comment 13

6 years ago
http://hg.mozilla.org/integration/mozilla-inbound/rev/777a3c916936
Whiteboard: js-triage-done → [js-triage-done][inbound]
http://hg.mozilla.org/mozilla-central/rev/777a3c916936
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
E4X has been removed, not adding this test.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.