"Assertion failure: isBoolean(),"

VERIFIED FIXED in Firefox 15

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
7 years ago

People

(Reporter: gkw, Assigned: jorendorff)

Tracking

(Blocks 1 bug, {assertion, regression, testcase})

Trunk
mozilla16
x86
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox15 verified, firefox16 verified, firefox-esr1016+ fixed)

Details

(Whiteboard: [js:p1:fx15])

Attachments

(3 attachments, 1 obsolete attachment)

Posted file stack
Math.tan(
    Object.defineProperty(
        evalcx("new RegExp"),
        "ignoreCase",
        {e:true}
    )
)

asserts js debug shell on m-c changeset cfaf90b22fc3 without any CLI arguments at Assertion failure: isBoolean(),

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   78732:61dd23c012ee
user:        Chris Leary
date:        Fri Oct 07 03:04:00 2011 -0700
summary:     Bug 673188: Compile regexps lazily. (r=mrbkap)
Hmm. Having a little trouble tracking this one down actually. Taking.
Assignee: general → jorendorff
This should have been obvious to me at the outset. Not sure what I was thinking.

1. For cross-compartment wrappers, Object.defineProperty ultimately calls JS_DefinePropertyById.

2. JS_DefinePropertyById allows the redefinition of non-writable non-configurable properties, contrary to ES5. In particular it does not do all the checking that obj_DefineProperty does when the target object is native.

3. RegExpObject::toString assumes the values of the "ignoreCase" non-writable non-configurable property can't be changed.
To break it down a little bit:

let a = evalcx("/x/");   // make a cross-compartment wrapper around a RegExp object
Object.defineProperty(a, "ignoreCase", {value: undefined});  // see comment 2
a.toString();  // trip an assertion that ignoreCase has a boolean value
Whiteboard: js-triage-needed → [js:p1:fx15][js:ni]
My first attempt was to make JS_Define* respect the invariants.
This was doomed because the JS_Define* functions are the APIs resolve hooks are supposed to use. We'd get call stacks like:

   some kind of lookup
   -> resolve hook
   -> JS_DefineProperty
   -> do a lookup to check the invariants
   -> resolve hook
      ...

The resolve machinery has some goofy hash table to prevent runaway recursion in this case, but it still causes problems. I think causing JS_Define* to do lookups is too much of an API change for Aurora.

A more modest change is to change wrappers so that instead of using JS_DefinePropertyById directly, they enforce the invariants. Pursuing that now.
Posted patch v1 (obsolete) — Splinter Review
Attachment #630656 - Flags: review?(jwalden+bmo)
Comment on attachment 630656 [details] [diff] [review]
v1

Review of attachment 630656 [details] [diff] [review]:
-----------------------------------------------------------------

The property definition algorithms are complicated enough that I'm not especially confident I haven't missed anything here, but I think you might have covered the bases.

::: js/src/jit-test/tests/basic/bug750307.js
@@ +1,5 @@
> +var g = newGlobal('new-compartment');
> +var a = g.RegExp("x");
> +try {
> +    Object.defineProperty(a, "ignoreCase", {value: undefined});
> +} catch (exc) {}

assertEq(exc instanceof g.TypeError, true); // it's g.TypeError and not TypeError, right?  And an assert verifying that an error was actually thrown, too.
Attachment #630656 - Flags: review?(jwalden+bmo) → review+
Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/65c7255e9d15 for the "browser_bug645699.js | an unexpected uncaught JS exception reported through window.onerror - TypeError: can't redefine non-configurable property 'location' at http://example.com/browser/toolkit/mozapps/extensions/test/xpinstall/bug645699.html:12" etc. in https://tbpl.mozilla.org/php/getParsedLog.php?id=12567825&tree=Mozilla-Inbound and friends.
Thanks for the backout. Looks like we should just change the test, though. I'll push to try in a minute.
(In reply to Jason Orendorff [:jorendorff] from comment #10)
> https://tbpl.mozilla.org/?tree=Try&rev=d87a33f7beb0

Try looks green - should be good to land! \o/
Keywords: checkin-needed
That must have been intended for some other bug, since every mochitest-oth which has run has a failure in the same test (plus, what's pushed to try isn't even in this bug, so checkin-needed would just reland the same thing that already bounced).
Keywords: checkin-needed
It was just a botch. Here's the fixed try run.
https://tbpl.mozilla.org/?tree=Try&rev=07957da489ad
Carrying forward review.
Attachment #630656 - Attachment is obsolete: true
Attachment #632595 - Flags: review+
https://hg.mozilla.org/mozilla-central/rev/2ddb6278d1de
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16
Depends on: 764688
Flags: in-testsuite+
Depends on: 765156
I built Spidermonkey for the latest Firefox 15 version (beta5, Changeset	5b309ad1a88a) and run the test from comment #0. The reported assertion did not show, but instead I got the following assertion:
test750307:5: TypeError: "ignoreCase" is read-only

Is this expected?

Thank you!
QA Contact: moz.mihaelav
Confirmed testcase asserts 2012-04-30 mozilla-central debug JS shell.

Does not assert:
2012-06-14 mozilla-central debug JS shell
2012-07-01 mozilla-aurora debug JS shell
Status: RESOLVED → VERIFIED
Keywords: verifyme
QA Contact: moz.mihaelav → anthony.s.hughes
Whiteboard: [js:p1:fx15][js:ni] → [js:p1:fx15]
(In reply to Jason Orendorff [:jorendorff] from comment #22)
> https://hg.mozilla.org/releases/mozilla-esr10/rev/6b471843f125
> 
> Approval granted separately in bug 756719.

Had oranges in mochi-4 and mochi-oth across all platforms, backed out
https://hg.mozilla.org/releases/mozilla-esr10/rev/e78926e3cef0
Re-landed:

   https://hg.mozilla.org/releases/mozilla-esr10/rev/9708ce55a237
   https://hg.mozilla.org/releases/mozilla-esr10/rev/b3600020156d

The "part 2" patch got review and approval separately, in bug 756719.

There's no way to get a Try Server run on ESR10 at present, so I'm not as confident in these patches as I'd normally like to be, but at worst, we back them out again...
> but at worst, we back them out again...
At worst it is!  Backed out for Moth oranges.

https://hg.mozilla.org/releases/mozilla-esr10/rev/96931ca23431
I managed to only back out the second part, so here's another attempt to finish the job.

https://hg.mozilla.org/releases/mozilla-esr10/rev/d449bf8cd785
Moth seems to fail more with the extra ESR fix on than not, so this this is a more minimal version of the ESR fix. It's impossible to quickly figure out what's really going wrong or what's needed, but this may work. Currently running on try. I'll check again in the morning.
Attachment #668292 - Flags: review?(jorendorff)
You can't use Try for ESR-10 (it won't build), which is kind of the root of this whole problem. You'll have to run Moth locally.
(In reply to Andrew McCreight [:mccr8] from comment #28)
> You can't use Try for ESR-10 (it won't build), which is kind of the root of
> this whole problem. You'll have to run Moth locally.

That is super lame. Hopefully Jason can pick it up in the morning then.
I'm working on this now.
Attachment #668292 - Flags: review?(jorendorff)
You need to log in before you can comment on or make changes to this bug.