Closed Bug 712428 Opened 9 years ago Closed 9 years ago

"Assertion failure: base->getObjectParent() == unowned->getObjectParent()"

Categories

(Core :: JavaScript Engine, defect)

defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla12
Tracking Status
firefox10 --- unaffected
firefox11 - affected
firefox-esr10 --- unaffected

People

(Reporter: jruderman, Assigned: bhackett1024)

References

Details

(Keywords: assertion, testcase)

Attachments

(2 files)

1. Load the testcase
2. Quit Firefox

Result: This assertion (which was added in bug 710492) fails:

Assertion failure: base->getObjectParent() == unowned->getObjectParent(), at js/src/jsgcmark.cpp:970
This could be a sign of an underlying problem, but the worst this should do for this immediate code in the CC is cause leaks.

I had a problem before with computing the parent of an object while in the CC, so maybe the CC fires off at weird points where the shape structures aren't set up correctly?
I was wrong in my review of bug 710492 about the consistency of the object parent (and other object information between a base shape and its unowned version).  This patch ensures the two are consistent, adds assertions to that effect and modifies the GC mark paths to not need to loop at all when marking base shapes.
Assignee: general → bhackett1024
Attachment #584122 - Flags: review?(luke)
Comment on attachment 584122 [details] [diff] [review]
patch (2a1f2758ad0d)

Looks good, but also makes bug 711159 look a more attractive...
Attachment #584122 - Flags: review?(luke) → review+
Oops, forgot to add:

>+            uint32_t flags = lastProperty()->getObjectFlags()
>+                           | (indexed ? BaseShape::INDEXED : 0);

| should line up with 'l' in lastProperty (in addPropertyInternal and putProperty).
OS: Mac OS X → All
Hardware: x86_64 → All
https://hg.mozilla.org/mozilla-central/rev/c93d8c55f67d
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Whiteboard: [sg:]
Target Milestone: --- → mozilla12
Does this or something like it need to be landed in 11, too?
Whiteboard: [sg:]
Brian doesn't believe that this is a security risk, so given the low volume of reports, we'll let this ride the trains.
Group: core-security
You need to log in before you can comment on or make changes to this bug.