Created attachment 531506 [details] stack with some data Assertion failure: callerPrincipals->subsume(callerPrincipals, calleePrincipals), at js/src/jsobj.cpp:1346 Up-to-date Linux x86-64 debug build; aborts shortly after start. It's 100% reproducible (also after rebuild with empty $OBJDIR). See attached stack for some data on the principals involved in the assert. # hg ident 618cad1b1743 tip
Do you have a test case?
I see this on 32|64bit Linux and 32bit Mac as well. Windows builds pending.
Using a clean profile, load http://english.aljazeera.net/watch_now/
I get it too. How about a regression range?
This is an extension of the issue in bug 651298. It is probably just be a matter of relaxing the assert or using the slower object principal finder instead of relying on the compartment's principals. The underlying issue is that we cheat to make document.domain work and break what would otherwise be reasonable invariants. Like practically everything these days, bug 650353 would allow this assert to hold, hence whatever we do in the interim is temporary.
definitely windows as well. Another url: http://www.msnbc.msn.com/id/42953750/ns/us_news-life/t/doc-woman-stranded-weeks-was-close-dying/?GT1=43001 plus 104 others so far.
Created attachment 531781 [details] [diff] [review] use object principals finder instead of compartment->principals mrbkap and I looked at one of these under gdb and it is the document.domain trickery. Same fix as before.
how often do we get mc<->tracemonkey merges? once a week? any chance of getting this onto mc sooner?
Can do; I'll land it on mc as soon as it goes green on tm.
... and its a good thing I did. xpcshell is doing some weird things with its fake principals manager. Will look at this tomorrow. Backed out: http://hg.mozilla.org/tracemonkey/rev/5b479a987cda
Relanded and stuck: http://hg.mozilla.org/tracemonkey/rev/16b4d6aa5b2b
I'm in the middle of retesting the urls where I saw this assertion. It appears that it still occurs at http://www.sfr.fr/mobile/telephone-portable/apple-iphone-4-16go-noir?vue=000029 on WinXP on a nightly build from 5/19. File a new bug?
#3 in js::PrincipalsForCompiledCode at jsobj.cpp:1346 (gdb) p calleePrincipals->codebase $1 = "http://www.sfr.fr/mobile/telephone-portable/apple-iphone-4-16go-noir?vue=000029" (gdb) p callerPrincipals->codebase $2 = "http://www.sfr.fr/mobile/edito/tcommerce/inqChat.html?IFRAME" Blake: can we just drop this assertion? Seems to be more of this document.domain-hack-leakage that I thought you explained was technically ok.
Yeah, I guess so... Do we have compartment-per-global yet?
(In reply to comment #16) > Yeah, I guess so... Do we have compartment-per-global yet? I'll go poke bent.
Created attachment 536643 [details] [diff] [review] kill the assert