__defineSetter__("x", XPCNativeWrapper) x = Proxy.create((function () { return {} }), this) asserts xpcshell on TM tip without -j at "###!!! ASSERTION: No scope has this global object!: 'OKIfNotInitialized'," Assuming related to harmony:proxies. Tested on 64-bit.

Program received signal SIGSEGV, Segmentation fault. 0x00007f81df2209de in XPCWrappedNativeScope::GetPrincipal (this=0x0) at /home/fuzz1/tracemonkey/js/src/xpconnect/src/xpcprivate.h:1429 1429 mScriptObjectPrincipal->GetPrincipal() : nsnull;} (gdb) bt #0 0x00007f81df2209de in XPCWrappedNativeScope::GetPrincipal (this=0x0) at /home/fuzz1/tracemonkey/js/src/xpconnect/src/xpcprivate.h:1429 #1 0x00007f81df283934 in XPCWrappedNativeScope::GetWrapperFor (this=0x2de3e00, cx=0x2de36d0, obj=0x7f81cf3a3b40, hint=XPCWrapper::XPCNW_EXPLICIT, wn=0x7fff09c81ea0) at /home/fuzz1/tracemonkey/js/src/xpconnect/src/xpcwrappednativescope.cpp:1027 #2 0x00007f81df2865a3 in XPCNativeWrapperCtor (cx=0x2de36d0, obj=0x0, argc=1, argv=0x7f81d2c73140, rval=0x7f81d2c73188) at /home/fuzz1/tracemonkey/js/src/xpconnect/src/XPCNativeWrapper.cpp:1000 #3 0x00007f81dda814ca in js_Invoke (cx=0x2de36d0, args=..., flags=2) at /home/fuzz1/tracemonkey/js/src/jsinterp.cpp:639 #4 0x00007f81dda816f1 in js_InternalInvoke (cx=0x2de36d0, obj=0x7f81cf3a3380, fval=140195504214128, flags=0, argc=1, argv=0x7fff09c82760, rval=0x7fff09c82760) at /home/fuzz1/tracemonkey/js/src/jsinterp.cpp:678 #5 0x00007f81dda8183f in js_InternalGetOrSet (cx=0x2de36d0, obj=0x7f81cf3a3380, id=140195750453284, fval=140195504214128, mode=JSACC_WRITE, argc=1, argv=0x7fff09c82760, rval=0x7fff09c82760) at /home/fuzz1/tracemonkey/js/src/jsinterp.cpp:714 #6 0x00007f81ddaa677f in JSScopeProperty::set (this=0x2d6eef8, cx=0x2de36d0, obj=0x7f81cf3a3380, vp=0x7fff09c82760) at /home/fuzz1/tracemonkey/js/src/jsscope.h:998 #7 0x00007f81ddaa03a4 in js_NativeSet (cx=0x2de36d0, obj=0x7f81cf3a3380, sprop=0x2d6eef8, added=false, vp=0x7fff09c82760) at /home/fuzz1/tracemonkey/js/src/jsobj.cpp:4733 #8 0x00007f81ddaa1a17 in js_SetPropertyHelper (cx=0x2de36d0, obj=0x7f81cf3a3380, id=140195750453284, defineHow=9, vp=0x7fff09c82760) at /home/fuzz1/tracemonkey/js/src/jsobj.cpp:5140 #9 0x00007f81dda6be9f in js_Interpret (cx=0x2de36d0) at /home/fuzz1/tracemonkey/js/src/jsops.cpp:1825 #10 0x00007f81dda81e9c in js_Execute (cx=0x2de36d0, chain=0x7f81cf3a3380, script=0x2de89d0, down=0x0, flags=0, result=0x7fff09c82b78) at /home/fuzz1/tracemonkey/js/src/jsinterp.cpp:837 #11 0x00007f81dd9efff8 in JS_ExecuteScript (cx=0x2de36d0, obj=0x7f81cf3a3380, script=0x2de89d0, rval=0x7fff09c82b78) at /home/fuzz1/tracemonkey/js/src/jsapi.cpp:4802 #12 0x0000000000405b22 in ProcessFile (cx=0x2de36d0, obj=0x7f81cf3a3380, filename=0x0, file=0x7f81dc9976a0, forceTTY=0) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1043 #13 0x0000000000405d34 in Process (cx=0x2de36d0, obj=0x7f81cf3a3380, filename=0x0, forceTTY=0) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1082 #14 0x0000000000406456 in ProcessArgs (cx=0x2de36d0, obj=0x7f81cf3a3380, argv=0x7fff09c83fc0, argc=0) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1249 #15 0x0000000000407b80 in main (argc=0, argv=0x7fff09c83fc0, envp=0x7fff09c83fc8) at /home/fuzz1/tracemonkey/js/src/xpconnect/shell/xpcshell.cpp:1904

This is cheesy, as gal put it on IRC, but it works: proxies should always have a parent.

Comment on attachment 450477 [details] [diff] [review] Proposed fix >Bug 567081 - Make sure proxies have a non-null parent. > >diff --git a/js/src/jsproxy.cpp b/js/src/jsproxy.cpp >--- a/js/src/jsproxy.cpp >+++ b/js/src/jsproxy.cpp >@@ -1066,20 +1066,23 @@ proxy_create(JSContext *cx, uintN argc, > } > JSObject *handler; > if (!(handler = NonNullObject(cx, vp[2]))) > return false; > JSObject *proto, *parent; > if (argc > 1 && !JSVAL_IS_PRIMITIVE(vp[3])) { > proto = JSVAL_TO_OBJECT(vp[3]); > parent = proto->getParent(); >+ if (!parent) >+ parent = proto; This seems bogus, because proto is not a global object in all likelihood. Why not do what you do here: > } else { > JS_ASSERT(VALUE_IS_FUNCTION(cx, vp[0])); > proto = NULL; > parent = JSVAL_TO_OBJECT(vp[0])->getParent(); >+ JS_ASSERT(parent); > } which suggests shorter code: . if (argc > 1 && !JSVAL_IS_PRIMITIVE(vp[3])) { . proto = JSVAL_TO_OBJECT(vp[3]); . parent = proto->getParent(); . } else { . JS_ASSERT(VALUE_IS_FUNCTION(cx, vp[0])); . proto = parent = NULL; . } . if (!parent) { . parent = JSVAL_TO_OBJECT(vp[0])->getParent(); . JS_ASSERT(parent); . } /be

(In reply to comment #3) > This seems bogus, because proto is not a global object in all likelihood. Why > not do what you do here: vp[3] is user controlled and *can* be a global object, so we need to deal with that case. Your proposal does seem better, though. I'll attach a new patch tomorrow.

Bumping to beta 2. Yell if you object.

Patch is reviewed, but it's sat across a beta deadline. Moving this to beta3+, but if it makes it in before code freeze (4hrs, midnight tonight, PT) then yay!

Can we get this checked in please so it doesn't miss another beta deadline? Next code freeze is Monday, Aug 2 for beta3.

Robert: you on this merge from TM?