Closed
Bug 800586
Opened 13 years ago
Closed 13 years ago
[jsdbg2] Assertion failure: thing->compartment() == trc->compartment || thing->compartment() == trc->runtime->atomsCompartment || (trc->srcKind == JSTRACE_OBJECT && InCrossCompartmentMap((JSObject *)trc->src, thing, kind)), at jsgc.cpp:3313
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla20
People
(Reporter: decoder, Assigned: jorendorff)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
2.73 KB,
patch
|
jimb
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 5cca0408a73f (run with --ion-eager):
var g = newGlobal('new-compartment');
var dbg = new Debugger();
var gw = dbg.addDebuggee(g);
dbg.onDebuggerStatement = function (f) {
gw.evalInGlobal("eval('var x = \"A Brief History of Love\"');\n")
};
g.eval('debugger');
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•13 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 107152:6852b4928efa
user: Bill McCloskey
date: Fri Sep 14 17:19:53 2012 -0700
summary: Bug 790865 - Add more compartment assertions (r=terrence)
This iteration took 100.131 seconds to run.
|
Assignee | |
Comment 2•13 years ago
|
||
If I add this assertion to builtin/Eval.cpp, this testcase flunks it.
bool
js::DirectEval(JSContext *cx, const CallArgs &args)
{
// Direct eval can assume it was called from an interpreted frame.
StackFrame *caller = cx->fp();
JS_ASSERT(IsBuiltinEvalForScope(caller->scopeChain(), args.calleev()));
JS_ASSERT(JSOp(*cx->regs().pc) == JSOP_EVAL);
+ JS_ASSERT(caller->compartment() == caller->callee().compartment());
if (!WarnOnTooManyArgs(cx, args))
return false;
return EvalKernel(cx, args, DIRECT_EVAL, caller, caller->scopeChain());
}
|
|
Assignee | |
Updated•13 years ago
|
Assignee: general → jorendorff
|
|
Assignee | |
Comment 3•13 years ago
|
||
Attachment #683828 -
Flags: review?(jimb)
|
||
Comment 4•13 years ago
|
||
Comment on attachment 683828 [details] [diff] [review]
v1
Review of attachment 683828 [details] [diff] [review]:
-----------------------------------------------------------------
Great!
Attachment #683828 -
Flags: review?(jimb) → review+
|
|
Assignee | |
Comment 5•13 years ago
|
||
|
||
Comment 6•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
You need to log in
before you can comment on or make changes to this bug.
Description
•