Closed Bug 674441 Opened 9 years ago Closed 9 years ago

GCZeal trips "Assertion failure: script->ownerObject == owner"

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla8

People

(Reporter: jruderman, Assigned: billm)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [js-triage-done][inbound])

Attachments

(2 files)

Attached file stack trace
Testcase:
  <script> fuzzPriv.setGCZeal(2); </script>
Where setGCZeal is implemented in a chrome-privileged js component as:
  Services.prefs.setIntPref("javascript.options.gczeal", zeal)

Triggers:
  Assertion failure: script->ownerObject == owner, at js/src/jsscript.cpp:323

Which was one of the assertions added in bug 673625.
Whiteboard: js-triage-needed
Thanks, Jesse. Sadly, this is a false positive. The script owner needs to be set before the script is exposed to the GC. In this case, it's happening too late. I'll get a patch up soon.
Whiteboard: js-triage-needed → js-triage-done
Attached patch patchSplinter Review
The problem is that between attaching the script to the function and setting the script's owner, we could GC and trigger the ownership assertion. This patch just holds off attaching the script to the function until later so that a GC can't happen in the middle.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #548831 - Flags: review?(dmandelin)
Also, I checked to see if there are other places where setOwnerObject happens too late, and all the other ones look clean.
Comment on attachment 548831 [details] [diff] [review]
patch

Review of attachment 548831 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsfun.cpp
@@ +1598,2 @@
>          return false;
> +    fun->u.i.script = script;

Please add a brief comment explaining why we need this.
Attachment #548831 - Flags: review?(dmandelin) → review+
Group: core-security
Whiteboard: js-triage-done → [js-triage-done][inbound]
http://hg.mozilla.org/mozilla-central/rev/75cd7345fb19
Status: ASSIGNED → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.