Assertion failure: script->ownerObject == owner, at jsscript.cpp:309

RESOLVED FIXED in mozilla10

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: billm)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla10
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: js-triage-done)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision 959c1e6bdb11 (options -m -n -a):


gczeal(2);
string=""
for (var i = 0; i < 100; i++ )
  hex=newGlobal('same-compartment');


S-s for now because this is GC related.
I got this too in jsfunfuzz.

Comment 2

6 years ago
And I get this in the browser with RandomJS. (My testcase also uses gczeal.)
(Assignee)

Comment 3

6 years ago
Created attachment 562481 [details] [diff] [review]
fix

This was a bogus assertion, unfortunately. The setOwnerObject call was supposed to happen right after setting u.i.script. But that inadvertently got broken in a few places. I've added a setter to make it less likely for this to happen again.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #562481 - Flags: review?(dmandelin)
(Assignee)

Comment 4

6 years ago
Also, not S-S. Except for the assertion, the code was fine.
Group: core-security
Whiteboard: js-triage-needed → js-triage-done
Attachment #562481 - Flags: review?(dmandelin) → review+
(Assignee)

Comment 5

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/f7cf12c7ae38
Target Milestone: --- → mozilla10

Comment 6

6 years ago
https://hg.mozilla.org/mozilla-central/rev/f7cf12c7ae38
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
(Reporter)

Comment 7

4 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug688939.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.