"Assertion failure: isBoolean(),"

VERIFIED FIXED in Firefox 15

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: jorendorff)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla16
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox15 verified, firefox16 verified, firefox-esr1016+ fixed)

Details

(Whiteboard: [js:p1:fx15])

Attachments

(3 attachments, 1 obsolete attachment)

(Reporter)

Description

5 years ago
Created attachment 619588 [details]
stack

Math.tan(
    Object.defineProperty(
        evalcx("new RegExp"),
        "ignoreCase",
        {e:true}
    )
)

asserts js debug shell on m-c changeset cfaf90b22fc3 without any CLI arguments at Assertion failure: isBoolean(),

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   78732:61dd23c012ee
user:        Chris Leary
date:        Fri Oct 07 03:04:00 2011 -0700
summary:     Bug 673188: Compile regexps lazily. (r=mrbkap)
(Assignee)

Comment 1

5 years ago
Hmm. Having a little trouble tracking this one down actually. Taking.
Assignee: general → jorendorff
(Assignee)

Comment 2

5 years ago
This should have been obvious to me at the outset. Not sure what I was thinking.

1. For cross-compartment wrappers, Object.defineProperty ultimately calls JS_DefinePropertyById.

2. JS_DefinePropertyById allows the redefinition of non-writable non-configurable properties, contrary to ES5. In particular it does not do all the checking that obj_DefineProperty does when the target object is native.

3. RegExpObject::toString assumes the values of the "ignoreCase" non-writable non-configurable property can't be changed.
(Assignee)

Comment 3

5 years ago
To break it down a little bit:

let a = evalcx("/x/");   // make a cross-compartment wrapper around a RegExp object
Object.defineProperty(a, "ignoreCase", {value: undefined});  // see comment 2
a.toString();  // trip an assertion that ignoreCase has a boolean value
Whiteboard: js-triage-needed → [js:p1:fx15][js:ni]
(Assignee)

Comment 4

5 years ago
My first attempt was to make JS_Define* respect the invariants.
This was doomed because the JS_Define* functions are the APIs resolve hooks are supposed to use. We'd get call stacks like:

   some kind of lookup
   -> resolve hook
   -> JS_DefineProperty
   -> do a lookup to check the invariants
   -> resolve hook
      ...

The resolve machinery has some goofy hash table to prevent runaway recursion in this case, but it still causes problems. I think causing JS_Define* to do lookups is too much of an API change for Aurora.

A more modest change is to change wrappers so that instead of using JS_DefinePropertyById directly, they enforce the invariants. Pursuing that now.
(Assignee)

Comment 5

5 years ago
Created attachment 630656 [details] [diff] [review]
v1
Attachment #630656 - Flags: review?(jwalden+bmo)
Comment on attachment 630656 [details] [diff] [review]
v1

Review of attachment 630656 [details] [diff] [review]:
-----------------------------------------------------------------

The property definition algorithms are complicated enough that I'm not especially confident I haven't missed anything here, but I think you might have covered the bases.

::: js/src/jit-test/tests/basic/bug750307.js
@@ +1,5 @@
> +var g = newGlobal('new-compartment');
> +var a = g.RegExp("x");
> +try {
> +    Object.defineProperty(a, "ignoreCase", {value: undefined});
> +} catch (exc) {}

assertEq(exc instanceof g.TypeError, true); // it's g.TypeError and not TypeError, right?  And an assert verifying that an error was actually thrown, too.
Attachment #630656 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Comment 7

5 years ago
Good idea.

https://hg.mozilla.org/integration/mozilla-inbound/rev/7166a68a7994
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/65c7255e9d15 for the "browser_bug645699.js | an unexpected uncaught JS exception reported through window.onerror - TypeError: can't redefine non-configurable property 'location' at http://example.com/browser/toolkit/mozapps/extensions/test/xpinstall/bug645699.html:12" etc. in https://tbpl.mozilla.org/php/getParsedLog.php?id=12567825&tree=Mozilla-Inbound and friends.
(Assignee)

Comment 9

5 years ago
Thanks for the backout. Looks like we should just change the test, though. I'll push to try in a minute.
(Assignee)

Comment 10

5 years ago
https://tbpl.mozilla.org/?tree=Try&rev=d87a33f7beb0
(Reporter)

Comment 11

5 years ago
(In reply to Jason Orendorff [:jorendorff] from comment #10)
> https://tbpl.mozilla.org/?tree=Try&rev=d87a33f7beb0

Try looks green - should be good to land! \o/
Keywords: checkin-needed
That must have been intended for some other bug, since every mochitest-oth which has run has a failure in the same test (plus, what's pushed to try isn't even in this bug, so checkin-needed would just reland the same thing that already bounced).
Keywords: checkin-needed
(Assignee)

Comment 13

5 years ago
It was just a botch. Here's the fixed try run.
https://tbpl.mozilla.org/?tree=Try&rev=07957da489ad
(Assignee)

Comment 14

5 years ago
Created attachment 632595 [details] [diff] [review]
v2 - same as v1, but fix a test

Carrying forward review.
Attachment #630656 - Attachment is obsolete: true
Attachment #632595 - Flags: review+
(Assignee)

Comment 15

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/2ddb6278d1de
https://hg.mozilla.org/mozilla-central/rev/2ddb6278d1de
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16

Updated

5 years ago
Depends on: 764688
status-firefox-esr10: --- → affected
status-firefox15: --- → affected
status-firefox16: --- → fixed
Blocks: 756719
(Reporter)

Updated

5 years ago
Flags: in-testsuite+

Comment 17

5 years ago
It seems it landed in 15.a2/20120629:
http://hg.mozilla.org/releases/mozilla-aurora/rev/2f5ede40b4f5
status-firefox15: affected → fixed

Updated

5 years ago
Depends on: 765156
Landed on beta as:
https://hg.mozilla.org/releases/mozilla-beta/rev/acb98d65fa59
(Bug doesn't seem to have been updated to reflect that)

However backed out of beta for M3 orange:
https://tbpl.mozilla.org/?tree=Mozilla-Beta&rev=acb98d65fa59

https://hg.mozilla.org/releases/mozilla-beta/rev/61b48c85c866
Keywords: verifyme
I built Spidermonkey for the latest Firefox 15 version (beta5, Changeset	5b309ad1a88a) and run the test from comment #0. The reported assertion did not show, but instead I got the following assertion:
test750307:5: TypeError: "ignoreCase" is read-only

Is this expected?

Thank you!
QA Contact: moz.mihaelav
Confirmed testcase asserts 2012-04-30 mozilla-central debug JS shell.

Does not assert:
2012-06-14 mozilla-central debug JS shell
2012-07-01 mozilla-aurora debug JS shell
Status: RESOLVED → VERIFIED
status-firefox15: fixed → verified
status-firefox16: fixed → verified
Keywords: verifyme
QA Contact: moz.mihaelav → anthony.s.hughes
Whiteboard: [js:p1:fx15][js:ni] → [js:p1:fx15]

Updated

5 years ago
tracking-firefox-esr10: --- → 16+
(Assignee)

Comment 22

5 years ago
https://hg.mozilla.org/releases/mozilla-esr10/rev/6b471843f125

Approval granted separately in bug 756719.

Updated

5 years ago
status-firefox-esr10: affected → fixed
(In reply to Jason Orendorff [:jorendorff] from comment #22)
> https://hg.mozilla.org/releases/mozilla-esr10/rev/6b471843f125
> 
> Approval granted separately in bug 756719.

Had oranges in mochi-4 and mochi-oth across all platforms, backed out
https://hg.mozilla.org/releases/mozilla-esr10/rev/e78926e3cef0
status-firefox-esr10: fixed → affected
(Assignee)

Comment 24

5 years ago
Re-landed:

   https://hg.mozilla.org/releases/mozilla-esr10/rev/9708ce55a237
   https://hg.mozilla.org/releases/mozilla-esr10/rev/b3600020156d

The "part 2" patch got review and approval separately, in bug 756719.

There's no way to get a Try Server run on ESR10 at present, so I'm not as confident in these patches as I'd normally like to be, but at worst, we back them out again...
> but at worst, we back them out again...
At worst it is!  Backed out for Moth oranges.

https://hg.mozilla.org/releases/mozilla-esr10/rev/96931ca23431
I managed to only back out the second part, so here's another attempt to finish the job.

https://hg.mozilla.org/releases/mozilla-esr10/rev/d449bf8cd785
Created attachment 668292 [details] [diff] [review]
ESR attempt -- undoes part of the ESR extra bit

Moth seems to fail more with the extra ESR fix on than not, so this this is a more minimal version of the ESR fix. It's impossible to quickly figure out what's really going wrong or what's needed, but this may work. Currently running on try. I'll check again in the morning.
Attachment #668292 - Flags: review?(jorendorff)
You can't use Try for ESR-10 (it won't build), which is kind of the root of this whole problem. You'll have to run Moth locally.
(In reply to Andrew McCreight [:mccr8] from comment #28)
> You can't use Try for ESR-10 (it won't build), which is kind of the root of
> this whole problem. You'll have to run Moth locally.

That is super lame. Hopefully Jason can pick it up in the morning then.
(Assignee)

Comment 30

5 years ago
I'm working on this now.
https://hg.mozilla.org/releases/mozilla-esr10/rev/f19e6807b8bb
https://hg.mozilla.org/releases/mozilla-esr10/rev/89d8746d16c5
status-firefox-esr10: affected → fixed
(Assignee)

Updated

5 years ago
Attachment #668292 - Flags: review?(jorendorff)
You need to log in before you can comment on or make changes to this bug.