for each(y in (evalcx(''))) {} asserts js debug shell without -j on TM tip at Assertion failure: non-global object at end of scope chain, at ../jsobj.cpp:6290 (gdb) bt #0 0x001508d9 in JS_Assert (s=0x1ed1d0 "non-global object at end of scope chain", file=0x1ed1c0 "../jsobj.cpp", ln=6290) at ../jsutil.cpp:77 #1 0x000bd7a4 in JSObject::getCompartment (this=0x1002620, cx=0x809200) at ../jsobj.cpp:6290 #2 0x00151a32 in JSCompartment::wrap (this=0x40b330, cx=0x809200, vp=0x5000e0) at ../jswrapper.cpp:265 #3 0x00152808 in JSCrossCompartmentWrapper::iterate (this=0x20eeac, cx=0x809200, proxy=0x1002600, flags=3, vp=0x5000e0) at ../jswrapper.cpp:583 #4 0x00104cc5 in js::JSProxy::iterate (cx=0x809200, proxy=0x1002600, flags=3, vp=0x5000e0) at ../jsproxy.cpp:788 #5 0x000b490b in GetIterator (cx=0x809200, obj=0x1002600, flags=3, vp=0x5000e0) at ../jsiter.cpp:495 #6 0x000b4d07 in js_ValueToIterator (cx=0x809200, flags=3, vp=0x5000e0) at ../jsiter.cpp:642 #7 0x0008d808 in js_Interpret (cx=0x809200) at jsops.cpp:460 #8 0x000afad3 in js_Execute (cx=0x809200, chain=0x1002000, script=0x40c5b0, down=0x0, flags=0, result=0xbffff588) at jsinterp.cpp:870 #9 0x00016466 in JS_ExecuteScript (cx=0x809200, obj=0x1002000, script=0x40c5b0, rval=0xbffff588) at ../jsapi.cpp:4737 #10 0x0000a04e in Process (cx=0x809200, obj=0x1002000, filename=0x0, forceTTY=0) at ../../shell/js.cpp:522 #11 0x0000aa11 in ProcessArgs (cx=0x809200, obj=0x1002000, argv=0xbffff750, argc=0) at ../../shell/js.cpp:843 #12 0x0000ab2a in shell (cx=0x809200, argc=0, argv=0xbffff750, envp=0xbffff754) at ../../shell/js.cpp:5057 #13 0x0000ac4e in main (argc=0, argv=0xbffff750, envp=0xbffff754) at ../../shell/js.cpp:5144

autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 44269:3aaaa21012c8 user: Jason Orendorff date: Wed Jun 23 16:35:10 2010 -0500 summary: Bug 563099 - Compartments and wrappers API. r=gal.

This also causes a near-null dereference in opt shells: Program received signal EXC_BAD_ACCESS, Could not access memory. Reason: KERN_PROTECTION_FAILURE at address: 0x0000001e 0x00101784 in JSCompartment::wrap () (gdb) (gdb) bt #0 0x00101784 in JSCompartment::wrap () #1 0x00103367 in JSCrossCompartmentWrapper::get () #2 0x000b4937 in js::proxy_GetProperty () #3 0x0007868b in js_GetMethod () #4 0x0000e7c3 in JS_GetMethodById () #5 0x00068744 in js_IteratorMore () #6 0x00059c00 in js_Interpret () #7 0x00066ec6 in js_Execute () #8 0x000134f8 in JS_ExecuteScript () #9 0x0000522c in Process () #10 0x000087a7 in shell () #11 0x00008cc7 in main () (gdb) x/i $eip 0x101784 <_ZN13JSCompartment4wrapEP9JSContextPl+404>: mov 0x8(%edx),%edx (gdb) x/i $edx 0x16: Cannot access memory at address 0x16

Shell only. evalcx blows. We should disallow anything there thats not a proper scope object.

Mea culpa. Iterator->getCompartment() crashes because parent is NULL. Brendan is probably right. The optimization is silly.

Brendan, I can fix this differently if you think its important to have this after all.

ok to leave the "flags" argument to NewIteratorObject, unused?

Good point. Brendan already had it removed once. Lets wait what he says. If we remove the code I will have to re-do the cleanup I made him take out...

Two things: 1. Measure the win of the JSITER_ENUMERATE fast path in NewIteratorObject. 2. Make evalcx do what eval does, per comment 3, and not allow non-scope objects. /be

Where is the "non-scope object" in this testcase?

This is fixed by bug 574262 which introduces a fast path that avoids asking non-escaping iterator objects for their parent to get their compartment.