Closed Bug 800586 Opened 12 years ago Closed 12 years ago

[jsdbg2] Assertion failure: thing->compartment() == trc->compartment || thing->compartment() == trc->runtime->atomsCompartment || (trc->srcKind == JSTRACE_OBJECT && InCrossCompartmentMap((JSObject *)trc->src, thing, kind)), at jsgc.cpp:3313

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla20

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

v1
2.73 KB, patch
jimb
: review+
Details | Diff | Splinter Review 
The following testcase asserts on mozilla-central revision 5cca0408a73f (run with --ion-eager):


var g = newGlobal('new-compartment');
var dbg = new Debugger();
var gw = dbg.addDebuggee(g);
dbg.onDebuggerStatement = function (f) {
	gw.evalInGlobal("eval('var x = \"A Brief History of Love\"');\n")
};
g.eval('debugger');
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   107152:6852b4928efa
user:        Bill McCloskey
date:        Fri Sep 14 17:19:53 2012 -0700
summary:     Bug 790865 - Add more compartment assertions (r=terrence)

This iteration took 100.131 seconds to run.
If I add this assertion to builtin/Eval.cpp, this testcase flunks it.

 bool
 js::DirectEval(JSContext *cx, const CallArgs &args)
 {
     // Direct eval can assume it was called from an interpreted frame.
     StackFrame *caller = cx->fp();
     JS_ASSERT(IsBuiltinEvalForScope(caller->scopeChain(), args.calleev()));
     JS_ASSERT(JSOp(*cx->regs().pc) == JSOP_EVAL);
+    JS_ASSERT(caller->compartment() == caller->callee().compartment());
 
     if (!WarnOnTooManyArgs(cx, args))
         return false;
 
     return EvalKernel(cx, args, DIRECT_EVAL, caller, caller->scopeChain());
 }
Assignee: general → jorendorff
Attached patch v1Splinter Review 

        Attachment #683828 -
        Flags: review?(jimb)

    
    

    
  
Comment on attachment 683828 [details] [diff] [review]
v1

Review of attachment 683828 [details] [diff] [review]:
-----------------------------------------------------------------

Great!

        Attachment #683828 -
        Flags: review?(jimb) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/f51eb7d2a8de
Status: NEW → RESOLVED
Closed: 12 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla20

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: