768706 - Crash in js::GetObjectClass when executing a gcli command written in the scratchpad

Status: RESOLVED INACTIVE

(Core :: XPConnect, defect)

Description

[Paul Adenot (:padenot)]

Backtrace : http://pastebin.mozilla.org/1679892

STR:
- Open the scratchpad in chrome mode (devtools.chrome.enable to true, Environment to Chrome in the scratchpad), and enable the gcli (devtools.toolbar.enabled to true) ;
- Paste the following in it: http://pastebin.mozilla.org/1679894 ;
- Open the gcli using ctrl+shift+v ;
- Type "reload page 4s".

Expected:
- The browsers does not crash.

Actual:
- The page reload once, and the browser crashes.

An odd looking pointer is being dereferenced, apparently : 
(gdb) p reinterpret_cast<const shadow::Object*>(obj)->shape->base
$4 = (js::shadow::BaseShape *) 0xa5a5a5a500000001

Comment 1

[Paul Adenot (:padenot)]

Oh, and I get that in the console just before the crash :

55048000[7f280213a480]: ###!!! ASSERTION: function object has parent of unknown class!: 'Error', file /home/paul/workspace/mozilla-middle/js/xpconnect/src/XPCWrappedNative.cpp, line 1798
###!!! ASSERTION: function object has parent of unknown class!: 'Error', file /home/paul/workspace/mozilla-middle/js/xpconnect/src/XPCWrappedNative.cpp, line 1798

Comment 2

[Jesse Ruderman]

Paul, the pastebins seem to have disappeared.  Can you upload those as bug attachments instead?

Comment 3

[Paul Adenot (:padenot)]

Attachment: File that was in the pastein.

Here you go.

Comment 4

[BMO Automation]

Per policy at https://wiki.mozilla.org/Bug_Triage/Projects/Bug_Handling/Bug_Husbandry#Inactive_Bugs. If this bug is not an enhancement request or a bug not present in a supported release of Firefox, then it may be reopened.