"Assertion failure: isBoolean(),"

VERIFIED FIXED in Firefox 15



JavaScript Engine
5 years ago
5 years ago


(Reporter: gkw, Assigned: jorendorff)


(Blocks: 1 bug, {assertion, regression, testcase})

Mac OS X
assertion, regression, testcase
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox15 verified, firefox16 verified, firefox-esr1016+ fixed)


(Whiteboard: [js:p1:fx15])


(3 attachments, 1 obsolete attachment)



5 years ago
Created attachment 619588 [details]

        evalcx("new RegExp"),

asserts js debug shell on m-c changeset cfaf90b22fc3 without any CLI arguments at Assertion failure: isBoolean(),

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   78732:61dd23c012ee
user:        Chris Leary
date:        Fri Oct 07 03:04:00 2011 -0700
summary:     Bug 673188: Compile regexps lazily. (r=mrbkap)

Comment 1

5 years ago
Hmm. Having a little trouble tracking this one down actually. Taking.
Assignee: general → jorendorff

Comment 2

5 years ago
This should have been obvious to me at the outset. Not sure what I was thinking.

1. For cross-compartment wrappers, Object.defineProperty ultimately calls JS_DefinePropertyById.

2. JS_DefinePropertyById allows the redefinition of non-writable non-configurable properties, contrary to ES5. In particular it does not do all the checking that obj_DefineProperty does when the target object is native.

3. RegExpObject::toString assumes the values of the "ignoreCase" non-writable non-configurable property can't be changed.

Comment 3

5 years ago
To break it down a little bit:

let a = evalcx("/x/");   // make a cross-compartment wrapper around a RegExp object
Object.defineProperty(a, "ignoreCase", {value: undefined});  // see comment 2
a.toString();  // trip an assertion that ignoreCase has a boolean value
Whiteboard: js-triage-needed → [js:p1:fx15][js:ni]

Comment 4

5 years ago
My first attempt was to make JS_Define* respect the invariants.
This was doomed because the JS_Define* functions are the APIs resolve hooks are supposed to use. We'd get call stacks like:

   some kind of lookup
   -> resolve hook
   -> JS_DefineProperty
   -> do a lookup to check the invariants
   -> resolve hook

The resolve machinery has some goofy hash table to prevent runaway recursion in this case, but it still causes problems. I think causing JS_Define* to do lookups is too much of an API change for Aurora.

A more modest change is to change wrappers so that instead of using JS_DefinePropertyById directly, they enforce the invariants. Pursuing that now.

Comment 5

5 years ago
Created attachment 630656 [details] [diff] [review]
Attachment #630656 - Flags: review?(jwalden+bmo)
Comment on attachment 630656 [details] [diff] [review]

Review of attachment 630656 [details] [diff] [review]:

The property definition algorithms are complicated enough that I'm not especially confident I haven't missed anything here, but I think you might have covered the bases.

::: js/src/jit-test/tests/basic/bug750307.js
@@ +1,5 @@
> +var g = newGlobal('new-compartment');
> +var a = g.RegExp("x");
> +try {
> +    Object.defineProperty(a, "ignoreCase", {value: undefined});
> +} catch (exc) {}

assertEq(exc instanceof g.TypeError, true); // it's g.TypeError and not TypeError, right?  And an assert verifying that an error was actually thrown, too.
Attachment #630656 - Flags: review?(jwalden+bmo) → review+

Comment 7

5 years ago
Good idea.

Backed out in https://hg.mozilla.org/integration/mozilla-inbound/rev/65c7255e9d15 for the "browser_bug645699.js | an unexpected uncaught JS exception reported through window.onerror - TypeError: can't redefine non-configurable property 'location' at http://example.com/browser/toolkit/mozapps/extensions/test/xpinstall/bug645699.html:12" etc. in https://tbpl.mozilla.org/php/getParsedLog.php?id=12567825&tree=Mozilla-Inbound and friends.

Comment 9

5 years ago
Thanks for the backout. Looks like we should just change the test, though. I'll push to try in a minute.

Comment 10

5 years ago

Comment 11

5 years ago
(In reply to Jason Orendorff [:jorendorff] from comment #10)
> https://tbpl.mozilla.org/?tree=Try&rev=d87a33f7beb0

Try looks green - should be good to land! \o/
Keywords: checkin-needed
That must have been intended for some other bug, since every mochitest-oth which has run has a failure in the same test (plus, what's pushed to try isn't even in this bug, so checkin-needed would just reland the same thing that already bounced).
Keywords: checkin-needed

Comment 13

5 years ago
It was just a botch. Here's the fixed try run.

Comment 14

5 years ago
Created attachment 632595 [details] [diff] [review]
v2 - same as v1, but fix a test

Carrying forward review.
Attachment #630656 - Attachment is obsolete: true
Attachment #632595 - Flags: review+

Comment 15

5 years ago
Last Resolved: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla16


5 years ago
Depends on: 764688
status-firefox-esr10: --- → affected
status-firefox15: --- → affected
status-firefox16: --- → fixed
Blocks: 756719


5 years ago
Flags: in-testsuite+

Comment 17

5 years ago
It seems it landed in 15.a2/20120629:
status-firefox15: affected → fixed


5 years ago
Depends on: 765156
Landed on beta as:
(Bug doesn't seem to have been updated to reflect that)

However backed out of beta for M3 orange:

Keywords: verifyme
I built Spidermonkey for the latest Firefox 15 version (beta5, Changeset	5b309ad1a88a) and run the test from comment #0. The reported assertion did not show, but instead I got the following assertion:
test750307:5: TypeError: "ignoreCase" is read-only

Is this expected?

Thank you!
QA Contact: moz.mihaelav
Confirmed testcase asserts 2012-04-30 mozilla-central debug JS shell.

Does not assert:
2012-06-14 mozilla-central debug JS shell
2012-07-01 mozilla-aurora debug JS shell
status-firefox15: fixed → verified
status-firefox16: fixed → verified
Keywords: verifyme
QA Contact: moz.mihaelav → anthony.s.hughes
Whiteboard: [js:p1:fx15][js:ni] → [js:p1:fx15]


5 years ago
tracking-firefox-esr10: --- → 16+

Comment 22

5 years ago

Approval granted separately in bug 756719.


5 years ago
status-firefox-esr10: affected → fixed
(In reply to Jason Orendorff [:jorendorff] from comment #22)
> https://hg.mozilla.org/releases/mozilla-esr10/rev/6b471843f125
> Approval granted separately in bug 756719.

Had oranges in mochi-4 and mochi-oth across all platforms, backed out
status-firefox-esr10: fixed → affected

Comment 24

5 years ago


The "part 2" patch got review and approval separately, in bug 756719.

There's no way to get a Try Server run on ESR10 at present, so I'm not as confident in these patches as I'd normally like to be, but at worst, we back them out again...
> but at worst, we back them out again...
At worst it is!  Backed out for Moth oranges.

I managed to only back out the second part, so here's another attempt to finish the job.

Created attachment 668292 [details] [diff] [review]
ESR attempt -- undoes part of the ESR extra bit

Moth seems to fail more with the extra ESR fix on than not, so this this is a more minimal version of the ESR fix. It's impossible to quickly figure out what's really going wrong or what's needed, but this may work. Currently running on try. I'll check again in the morning.
Attachment #668292 - Flags: review?(jorendorff)
You can't use Try for ESR-10 (it won't build), which is kind of the root of this whole problem. You'll have to run Moth locally.
(In reply to Andrew McCreight [:mccr8] from comment #28)
> You can't use Try for ESR-10 (it won't build), which is kind of the root of
> this whole problem. You'll have to run Moth locally.

That is super lame. Hopefully Jason can pick it up in the morning then.

Comment 30

5 years ago
I'm working on this now.
status-firefox-esr10: affected → fixed


5 years ago
Attachment #668292 - Flags: review?(jorendorff)
You need to log in before you can comment on or make changes to this bug.