Bugzilla@Mozilla – Bug 436741
"Assertion failure: OBJ_IS_NATIVE(obj)" with __proto__ mangling
Last modified: 2009-05-07 14:58:59 PDT
Summon comment box
Created attachment 323256 [details] testcase (crashes or hangs Firefox when loaded) Loading the testcase kills Firefox. Debug: Assertion failure: OBJ_IS_NATIVE(obj), at /Users/jruderman/central/mozilla/js/src/jslock.cpp:1187 Opt: Hang. Security-sensitive for now because I don't know whether this is a memory safety bug in opt builds.
Created attachment 323257 [details] stack trace
Blake, can you take this one? /be
mrbkap's out for a couple, few more weeks still, isn't he?
Created attachment 326322 [details] [review] Guess This seems like an ancient bug dating back to bug 72354 (2001!). The code currently always locks obj2 when it is returned from a newresolve hook. Furthermore, when it finds out that obj2 is not native, it unlocks it. But both js_LockObj and js_UnlockObj (called directly via JS_{UN,}LOCK_OBJ) assert that the given object is native! The fix proposed here is to not try to lock (or unlock) a non-native object. Note that in this case, the non-native object is a shavarray, but could just as easily be a liveconnect object.
Comment on attachment 326322 [details] [review] Guess Yeah, this makes sense. Although for liveconnect do we have thread safety issues? For shavarrays my hope is to convert 'em to sparse upon crossing a thread boundary. /be
Created attachment 326444 [details] [review] Better Looking further down the loop shows that if the non-native object fails to resolve the id, we'll try to unlock the non-native obj2.
Comment on attachment 326444 [details] [review] Better Glad someone's looking! /be
Fix pushed as changeset 8eac0738eaab.
Want for branch blake?
Comment on attachment 326444 [details] [review] Better Yeah. I think this is necessary for the array prototype functions getting "this" wrong bug.
Comment on attachment 326444 [details] [review] Better Approved for 1.9.0.2. Please land in CVS. a=ss
Created attachment 332904 [details] js1_5/extensions/regress-436741.js
Fix checked into the 1.9 branch.
verified fixed 1.9.0/trunk linux/mac/win.
Comment on attachment 326444 [details] [review] Better This applies cleanly to the 1.8 branch.
Comment on attachment 326444 [details] [review] Better Approved for 1.8.1.18, a=dveditz for release-drivers
Fixed on the 1.8 branch too (although it isn't showing up in bonsai, probably because I hit ctl+c in the middle of checking in).
v 1.8.1.18
Comment on attachment 326444 [details] [review] Better a=asac for 1.8.0
test landed http://hg.mozilla.org/mozilla-central/rev/dcddc30c2960 and cvs