Last Comment Bug 674441 - GCZeal trips "Assertion failure: script->ownerObject == owner"
: GCZeal trips "Assertion failure: script->ownerObject == owner"
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Mac OS X
-- critical (vote)
: mozilla8
Assigned To: Bill McCloskey (:billm)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: 673625
  Show dependency treegraph
Reported: 2011-07-26 19:49 PDT by Jesse Ruderman
Modified: 2011-08-03 02:13 PDT (History)
5 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

stack trace (17.97 KB, text/plain)
2011-07-26 19:49 PDT, Jesse Ruderman
no flags Details
patch (966 bytes, patch)
2011-07-27 10:59 PDT, Bill McCloskey (:billm)
dmandelin: review+
Details | Diff | Splinter Review

Description User image Jesse Ruderman 2011-07-26 19:49:39 PDT
Created attachment 548669 [details]
stack trace

  <script> fuzzPriv.setGCZeal(2); </script>
Where setGCZeal is implemented in a chrome-privileged js component as:
  Services.prefs.setIntPref("javascript.options.gczeal", zeal)

  Assertion failure: script->ownerObject == owner, at js/src/jsscript.cpp:323

Which was one of the assertions added in bug 673625.
Comment 1 User image Bill McCloskey (:billm) 2011-07-27 10:06:08 PDT
Thanks, Jesse. Sadly, this is a false positive. The script owner needs to be set before the script is exposed to the GC. In this case, it's happening too late. I'll get a patch up soon.
Comment 2 User image Bill McCloskey (:billm) 2011-07-27 10:59:24 PDT
Created attachment 548831 [details] [diff] [review]

The problem is that between attaching the script to the function and setting the script's owner, we could GC and trigger the ownership assertion. This patch just holds off attaching the script to the function until later so that a GC can't happen in the middle.
Comment 3 User image Bill McCloskey (:billm) 2011-07-27 11:00:14 PDT
Also, I checked to see if there are other places where setOwnerObject happens too late, and all the other ones look clean.
Comment 4 User image David Mandelin [:dmandelin] 2011-07-27 16:27:52 PDT
Comment on attachment 548831 [details] [diff] [review]

Review of attachment 548831 [details] [diff] [review]:

::: js/src/jsfun.cpp
@@ +1598,2 @@
>          return false;
> +    fun->u.i.script = script;

Please add a brief comment explaining why we need this.
Comment 5 User image Marco Bonardo [::mak] 2011-08-03 02:13:04 PDT

Note You need to log in before you can comment on or make changes to this bug.