Closed Bug 922837 Opened 11 years ago Closed 11 years ago

In IndexedDatabaseManager.cpp:235: Assertion failure: js::GetObjectClass(aGlobal)->flags & (1<<7) (Not a global object!)

Categories

(Core :: Storage: IndexedDB, defect)

Product:
Core
Component:
Storage: IndexedDB
Platform:
All
Android
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla27

People

(Reporter: jgilbert, Assigned: janv)

References

Details

Attachments

(1 file)

patch
1.49 KB, patch
bholley
: review+
Details | Diff | Splinter Review 
My local build of central started hitting this consistently:
F/MOZ_Assert(12226): Assertion failure: js::GetObjectClass(aGlobal)->flags & (1<<7) (Not a global object!), at mozilla/central/dom/indexedDB/IndexedDatabaseManager.cpp:235

I get this on my Galaxy Tab 10.1:
First, google "webgl test".
Choose your adventure:
1) Click "Testing/Conformance - WebGL Public Wiki".
2) Click another result on that page.
3) Just wait about 20s.

All three end with the browser asserting out.
Any ideas? This also reproduces on my Nexus 10.
Flags: needinfo?(Jan.Varga)
This also happens on etherpad.mozilla.org, apparently on any etherpad. (Either create a new one and wait, or access and old one, and wait)
It also happens on:
https://www.khronos.org/registry/webgl/
https://www.khronos.org/registry/webgl/conformance-suites/
https://www.khronos.org/registry/webgl/conformance-suites/1.0.1/webgl-conformance-tests.html

At this point, it's notable that the only site I've tried which doesn't do this is slashdot.org's frontpage, and the one story page I tried.

This is making it impossible to do DEBUG testing against central.
Severity: normal → major
This code is clearly bogus, JS can apply the lazy getter to anything it wants, not just a global.
The lazy getter should just go away, and we should do bug 920553.
For the moment we probably just need to innerize in IndexedDBLazyGetter.
Jan is going to take this.
Assignee: khuey → Jan.Varga
Flags: needinfo?(Jan.Varga)
    1.38 +  JS::RootedObject global(aCx, CheckedUnwrap(aGlobal, false));

Note that CheckedUnwrap can veto and return null, which may well happen if somebody applies the lazy getter to a security wrapper.

I think the most robust thing for now is to do:
JS::RootedObject global(aCx, CheckedUnwrap(aGlobal, false));
NS_ENSURE_TRUE(global, false);
NS_ENSURE_TRUE(js::GetObjectClass(global)->flags & JSCLASS_DOM_GLOBAL, false);
Attached patch patchSplinter Review 

        Attachment #813084 -
        Flags: review?(bobbyholley+bmo)

    
    

    
  
Comment on attachment 813084 [details] [diff] [review]
patch

Review of attachment 813084 [details] [diff] [review]:
-----------------------------------------------------------------

::: dom/indexedDB/IndexedDatabaseManager.cpp
@@ +234,5 @@
>    MOZ_ASSERT(JSID_IS_STRING(aId), "Bad id!");
>    MOZ_ASSERT(JS_FlatStringEqualsAscii(JSID_TO_FLAT_STRING(aId), IDB_STR),
>               "Bad id!");
>  
> +  JS::RootedObject global(aCx, CheckedUnwrap(aGlobal, false));

Please add /* stopAtOuter = */ before the |false| parameter.

        Attachment #813084 -
        Flags: review?(bobbyholley+bmo) → review+

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/e02d4a452afc
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla27

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: