"Assertion failure: base->getObjectParent() == unowned->getObjectParent()"

RESOLVED FIXED in mozilla12

Status

()

defect
--
critical
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: jruderman, Assigned: bhackett)

Tracking

(Blocks 1 bug, {assertion, testcase})

Trunk
mozilla12
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox10 unaffected, firefox11- affected, firefox-esr10 unaffected)

Details

Attachments

(2 attachments)

1. Load the testcase
2. Quit Firefox

Result: This assertion (which was added in bug 710492) fails:

Assertion failure: base->getObjectParent() == unowned->getObjectParent(), at js/src/jsgcmark.cpp:970
This could be a sign of an underlying problem, but the worst this should do for this immediate code in the CC is cause leaks.

I had a problem before with computing the parent of an object while in the CC, so maybe the CC fires off at weird points where the shape structures aren't set up correctly?
I was wrong in my review of bug 710492 about the consistency of the object parent (and other object information between a base shape and its unowned version).  This patch ensures the two are consistent, adds assertions to that effect and modifies the GC mark paths to not need to loop at all when marking base shapes.
Assignee: general → bhackett1024
Attachment #584122 - Flags: review?(luke)
Comment on attachment 584122 [details] [diff] [review]
patch (2a1f2758ad0d)

Looks good, but also makes bug 711159 look a more attractive...
Attachment #584122 - Flags: review?(luke) → review+
Oops, forgot to add:

>+            uint32_t flags = lastProperty()->getObjectFlags()
>+                           | (indexed ? BaseShape::INDEXED : 0);

| should line up with 'l' in lastProperty (in addPropertyInternal and putProperty).
OS: Mac OS X → All
Hardware: x86_64 → All
https://hg.mozilla.org/mozilla-central/rev/c93d8c55f67d
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Whiteboard: [sg:]
Target Milestone: --- → mozilla12
Does this or something like it need to be landed in 11, too?
Whiteboard: [sg:]
Brian doesn't believe that this is a security risk, so given the low volume of reports, we'll let this ride the trains.
Group: core-security
You need to log in before you can comment on or make changes to this bug.