Closed Bug 688939 Opened 8 years ago Closed 8 years ago

Assertion failure: script->ownerObject == owner, at jsscript.cpp:309

Categories

(Core :: JavaScript Engine, defect, critical)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla10

People

(Reporter: decoder, Assigned: billm)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: js-triage-done)

Attachments

(1 file)

fix
10.34 KB, patch
dmandelin
: review+
Details | Diff | Splinter Review 
The following test asserts on mozilla-central revision 959c1e6bdb11 (options -m -n -a):


gczeal(2);
string=""
for (var i = 0; i < 100; i++ )
  hex=newGlobal('same-compartment');


S-s for now because this is GC related.
I got this too in jsfunfuzz.
And I get this in the browser with RandomJS. (My testcase also uses gczeal.)
Attached patch fixSplinter Review 
This was a bogus assertion, unfortunately. The setOwnerObject call was supposed to happen right after setting u.i.script. But that inadvertently got broken in a few places. I've added a setter to make it less likely for this to happen again.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #562481 - Flags: review?(dmandelin)
Also, not S-S. Except for the assertion, the code was fine.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
Attachment #562481 - Flags: review?(dmandelin) → review+
https://hg.mozilla.org/mozilla-central/rev/f7cf12c7ae38
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug688939.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.