The default bug view has changed. See this FAQ.

GCZeal trips "Assertion failure: script->ownerObject == owner"

RESOLVED FIXED in mozilla8

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: Jesse Ruderman, Assigned: billm)

Tracking

({assertion, regression, testcase})

Trunk
mozilla8
x86_64
Mac OS X
assertion, regression, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [js-triage-done][inbound])

Attachments

(2 attachments)

(Reporter)

Description

6 years ago
Created attachment 548669 [details]
stack trace

Testcase:
  <script> fuzzPriv.setGCZeal(2); </script>
Where setGCZeal is implemented in a chrome-privileged js component as:
  Services.prefs.setIntPref("javascript.options.gczeal", zeal)

Triggers:
  Assertion failure: script->ownerObject == owner, at js/src/jsscript.cpp:323

Which was one of the assertions added in bug 673625.
Whiteboard: js-triage-needed
(Assignee)

Comment 1

6 years ago
Thanks, Jesse. Sadly, this is a false positive. The script owner needs to be set before the script is exposed to the GC. In this case, it's happening too late. I'll get a patch up soon.
Whiteboard: js-triage-needed → js-triage-done
(Assignee)

Comment 2

6 years ago
Created attachment 548831 [details] [diff] [review]
patch

The problem is that between attaching the script to the function and setting the script's owner, we could GC and trigger the ownership assertion. This patch just holds off attaching the script to the function until later so that a GC can't happen in the middle.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #548831 - Flags: review?(dmandelin)
(Assignee)

Comment 3

6 years ago
Also, I checked to see if there are other places where setOwnerObject happens too late, and all the other ones look clean.
Comment on attachment 548831 [details] [diff] [review]
patch

Review of attachment 548831 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsfun.cpp
@@ +1598,2 @@
>          return false;
> +    fun->u.i.script = script;

Please add a brief comment explaining why we need this.
Attachment #548831 - Flags: review?(dmandelin) → review+
Group: core-security
(Assignee)

Updated

6 years ago
Whiteboard: js-triage-done → [js-triage-done][inbound]
http://hg.mozilla.org/mozilla-central/rev/75cd7345fb19
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8
You need to log in before you can comment on or make changes to this bug.