I'm seeing multiple assertSameCompartment failures in conjunction with JSD. STR: Install firebug 1.7. Open up sample.html, activate firebug. Play around with breakpoints. (I have one set on the 'for' loop.) Switch to sample2.html. Play around some more. (Set a breakpoint and reload. If you've set one in a past session, you should crash when opening sample2.html.) I am very quickly seeing compartment-related assertion failures. I have one from CallJSNative(exn_toString). I saw another from JS_DecompileFunctionBody() called from jsdScript::CreatePPLineMap(), which I'll file when I can reproduce. Here's a stack for CallJSNative: (gdb) bt #0 0x0000003de620f30b in raise (sig=<value optimized out>) at ../nptl/sysdeps/unix/sysv/linux/pt-raise.c:42 #1 0x00007ffff48c7c14 in JS_Assert (s=0x7ffff4a2d2ec "compartment mismatched", file=0x7ffff4a2d160 "/home/sfink/src/.TM-3/js/src/jscntxtinlines.h", ln=541) at /home/sfink/src/.TM-3/js/src/jsutil.cpp:83 #2 0x00007ffff4747695 in js::CompartmentChecker::fail (c1=0x7fffdb560400, c2=0x7fffd9f4ec00) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:541 #3 0x00007ffff4747703 in js::CompartmentChecker::check (this=0x7fffffffc390, c=0x7fffd9f4ec00) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:549 #4 0x00007ffff4747749 in js::CompartmentChecker::check (this=0x7fffffffc390, obj=0x7fffce8a1f00) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:557 #5 0x00007ffff474778a in js::CompartmentChecker::check (this=0x7fffffffc390, v=...) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:562 #6 0x00007ffff4800ef6 in js::CompartmentChecker::check (this=0x7fffffffc390, arr=...) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:571 #7 0x00007ffff4801e73 in js::assertSameCompartment<ValueArray> (cx=0x7fffe4e0f400, t1=...) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:624 #8 0x00007ffff4800f64 in js::CallJSNative (cx=0x7fffe4e0f400, native=0x7ffff47a9e08 <exn_toString(JSContext*, uintN, js::Value*)>, argc=0, vp=0x7fffe84fd038) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:683 #9 0x00007ffff4804709 in js::Invoke (cx=0x7fffe4e0f400, argsRef=..., flags=0) at /home/sfink/src/.TM-3/js/src/jsinterp.cpp:704 #10 0x00007ffff4804fbc in js::ExternalInvoke (cx=0x7fffe4e0f400, thisv=..., fval=..., argc=0, argv=0x0, rval=0x7fffffffc6a0) at /home/sfink/src/.TM-3/js/src/jsinterp.cpp:862 #11 0x00007ffff481aff5 in js::ExternalInvoke (cx=0x7fffe4e0f400, obj=0x7fffddcae2d0, fval=..., argc=0, argv=0x0, rval=0x7fffffffc6a0) at /home/sfink/src/.TM-3/js/src/jsinterp.h:962 #12 0x00007ffff482cec4 in js_TryMethod (cx=0x7fffe4e0f400, obj=0x7fffddcae2d0, atom=0x7fffe7f016c0, argc=0, argv=0x0, rval=0x7fffffffc6a0) at /home/sfink/src/.TM-3/js/src/jsobj.cpp:5978 #13 0x00007ffff482c0a1 in js::DefaultValue (cx=0x7fffe4e0f400, obj=0x7fffddcae2d0, hint=JSTYPE_STRING, vp=0x7fffffffc6f0) at /home/sfink/src/.TM-3/js/src/jsobj.cpp:5626 #14 0x00007ffff48a85f5 in js_ValueToString (cx=0x7fffe4e0f400, arg=...) at /home/sfink/src/.TM-3/js/src/jsstr.cpp:3735 #15 0x00007ffff47ab12b in js_ReportUncaughtException (cx=0x7fffe4e0f400) at /home/sfink/src/.TM-3/js/src/jsexn.cpp:1243 #16 0x00007ffff473b7bf in LAST_FRAME_EXCEPTION_CHECK (cx=0x7fffe4e0f400, result=false) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4400 #17 0x00007ffff473b7f9 in LAST_FRAME_CHECKS (cx=0x7fffe4e0f400, result=false) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4407 #18 0x00007ffff473d647 in JS_EvaluateUCScriptForPrincipals (cx=0x7fffe4e0f400, obj=0x7fffddcae828, principals=0x7fffd424ae08, chars=0x7fffd9856d18, length=158, filename=0x7fffce68a9e8 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=2, rval=0x0) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4885 #19 0x00007ffff473d471 in JS_EvaluateUCScriptForPrincipalsVersion (cx=0x7fffe4e0f400, obj=0x7fffddcae828, principals=0x7fffd424ae08, chars=0x7fffd9856d18, length=158, filename=0x7fffce68a9e8 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=2, rval=0x0, version=JSVERSION_DEFAULT) at /home/sfink/src/.TM-3/js/src/jsapi.cpp:4860 #20 0x00007ffff5dd94ca in nsJSContext::EvaluateString (this=0x7fffe4b87a20, aScript=..., aScopeObject=0x7fffddcae828, aPrincipal=0x7fffd424ae00, aURL=0x7fffce68a9e8 "file:///home/sfink/src/TM-singlestep/sample2.html", aLineNo=2, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fffffffcc1c) at /home/sfink/src/.TM-3/dom/base/nsJSEnvironment.cpp:1731 #21 0x00007ffff5b2e105 in nsScriptLoader::EvaluateScript (this=0x7fffd4159680, aRequest=0x7fffd9681b60, aScript=...) at /home/sfink/src/.TM-3/content/base/src/nsScriptLoader.cpp:870 #22 0x00007ffff5b2da2b in nsScriptLoader::ProcessRequest (this=0x7fffd4159680, aRequest=0x7fffd9681b60) at /home/sfink/src/.TM-3/content/base/src/nsScriptLoader.cpp:769 #23 0x00007ffff5b2d6ee in nsScriptLoader::ProcessScriptElement (this=0x7fffd4159680, aElement=0x7fffce631e60) at /home/sfink/src/.TM-3/content/base/src/nsScriptLoader.cpp:715 #24 0x00007ffff5b29c53 in nsScriptElement::MaybeProcessScript (this=0x7fffce631e60) at /home/sfink/src/.TM-3/content/base/src/nsScriptElement.cpp:167 #25 0x00007ffff5c7931c in nsHTMLScriptElement::MaybeProcessScript (this=0x7fffce631df0) at /home/sfink/src/.TM-3/content/html/content/src/nsHTMLScriptElement.cpp:581 #26 0x00007ffff5c78fe2 in nsHTMLScriptElement::DoneAddingChildren (this=0x7fffce631df0, aHaveNotified=1) at /home/sfink/src/.TM-3/content/html/content/src/nsHTMLScriptElement.cpp:510 #27 0x00007ffff5fca6d1 in nsHtml5TreeOpExecutor::RunScript (this=0x7fffd4123f30, aScriptElement=0x7fffce631df0) at /home/sfink/src/.TM-3/parser/html/nsHtml5TreeOpExecutor.cpp:730 #28 0x00007ffff5fc9d12 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x7fffd4123f30) at /home/sfink/src/.TM-3/parser/html/nsHtml5TreeOpExecutor.cpp:525 #29 0x00007ffff5fd0c68 in nsHtml5ExecutorFlusher::Run (this=0x7fffd3f3ada0) at /home/sfink/src/.TM-3/parser/html/nsHtml5StreamParser.cpp:153 #30 0x00007ffff6b9e275 in nsThread::ProcessNextEvent (this=0x7ffff2d395e0, mayWait=0, result=0x7fffffffd63c) at /home/sfink/src/.TM-3/xpcom/threads/nsThread.cpp:610 #31 0x00007ffff6b28374 in NS_ProcessNextEvent_P (thread=0x7ffff2d395e0, mayWait=0) at nsThreadUtils.cpp:250 #32 0x00007ffff698891a in mozilla::ipc::MessagePump::Run (this=0x7ffff2dfebc0, aDelegate=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/glue/MessagePump.cpp:110 #33 0x00007ffff6c07257 in MessageLoop::RunInternal (this=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/chromium/src/base/message_loop.cc:219 #34 0x00007ffff6c071dc in MessageLoop::RunHandler (this=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/chromium/src/base/message_loop.cc:202 #35 0x00007ffff6c0716d in MessageLoop::Run (this=0x7fffec0271c0) at /home/sfink/src/.TM-3/ipc/chromium/src/base/message_loop.cc:176 #36 0x00007ffff68259db in nsBaseAppShell::Run (this=0x7fffea7fcf80) at /home/sfink/src/.TM-3/widget/src/xpwidgets/nsBaseAppShell.cpp:181 #37 0x00007ffff656dde5 in nsAppStartup::Run (this=0x7fffe80924c0) at /home/sfink/src/.TM-3/toolkit/components/startup/src/nsAppStartup.cpp:191 #38 0x00007ffff548315a in XRE_main (argc=4, argv=0x7fffffffe298, aAppData=0x7ffff2d250f0) at /home/sfink/src/.TM-3/toolkit/xre/nsAppRunner.cpp:3682 #39 0x0000000000401e7f in main (argc=4, argv=0x7fffffffe298) at /home/sfink/src/.TM-3/browser/app/nsBrowserApp.cpp:158 (gdb)

steve: please try to limit the jsd component to bugs where there's actually source from js/jsd/ in the stack

mrbkap/et al, in debug builds, is it possible to actually provide enough information to make this stuff easy to debug? ideally something like tracerefcnt (or the older JSLock ABBA checker) where the compartment pointer and its stack are dumped at creation time (if an env var is set) so that when someone hits an assert like this the person who sees the assert can look back and point to the place where the apartment came from (in stack form)

Exact steps to reproduce: 1. Set up a profile with Firebug 1.7 installed. 2. Clean it out (this is just to make it reproducible with the exact same steps): rm -rf <profile>/sessionstore* <profile>/firebug 3. Start up firefox on sample.html: dist/bin/firefox -no-remote -P dev file:///home/sfink/src/TM-singlestep/sample.html 4. Turn on firebug (click the bug icon in the bottom right) 5. Reload (Ctrl-R) 6. From the location bar, switch to sample2.html 7. Set breakpoints on the 'for' line and the line with 'y=3' (lines 7 and 10) 8. Reload. You will now be stopped at the breakpoint on the 'for' line. (line 7) 9. Press F8 ('continue') to advance to the breakpoint on the 'y=3' line (line 10) 10. From the location bar, switch back to sample.html

Unfortunately, the fix in bug 610941 does not fix this. I have a browser-chrome mochitest that does everything in the STR above, but unfortunately it does not cause the crash. So either browser chrome mochitests set things up slightly differently, or my test isn't mimicking how Firebug does all of the breakpoints etc. In watching JS_EvaluateUCScriptForPrincipals(), what I see is that first sample.html runs a script in a context with compartment C1, using an 'obj' parameter corresponding to a Window object in compartment C1. After the script is done executing, cx->compartment and obj->getCompartment() are both still C1. Then sample2.html executes a script. On entry, we have the same context, but now both cx->compartment and obj->getCompartment() are a different compartment, C2. After exiting, however, cx->compartment has been reverted back to C1. This is only noticed with the above STR because sample2.html contains an error, and while generating the error message the compartment mismatch is detected. (Note that 'obj' is different between the two Evaluate invocations.) None of which means much of anything to me. Here's some more probably-useless detail: This is the stack where C1 got created: #0 JSCompartment::JSCompartment (this=0x7fffdd899800, rt=0x7fffea89e000) at /home/sfink/src/TM-singlestep/js/src/jscompartment.cpp:60 #1 0x00007ffff475c95b in js::gc::NewCompartment (cx=0x7fffddd4b800, principals=0x7fffd82398f8) at /home/sfink/src/TM-singlestep/js/src/jsgc.cpp:2609 #2 0x00007ffff46d4a55 in JS_NewCompartmentAndGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principals=0x7fffd82398f8) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:2969 #3 0x00007ffff62f8900 in CreateNewCompartment (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffd82398f0, priv=0x7fffda3fde80, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:964 #4 0x00007ffff62f8bfb in xpc_CreateGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffd82398f0, ptr=0x0, wantXrays=false, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1002 #5 0x00007ffff62f905a in nsXPConnect::InitClassesWithNewWrappedGlobal (this=0x7fffebd35f50, aJSContext=0x7fffddd4b800, aCOMObj=0x7fffdd899478, aIID=..., aPrincipal=0x7fffd82398f0, aExtraPtr=0x0, aFlags=0, _retval=0x7fffffffc340) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1089 #6 0x00007ffff5d970c0 in nsJSContext::CreateNativeGlobalForInner (this=0x7fffdde939e0, aNewInner=0x7fffdd899478, aIsChrome=0, aPrincipal=0x7fffd82398f0, aNativeGlobal=0x7fffdd899630, aHolder=0x7fffddd4b5d8) at /home/sfink/src/TM-singlestep/dom/base/nsJSEnvironment.cpp:2540 #7 0x00007ffff5db6649 in nsGlobalWindow::SetNewDocument (this=0x7fffddd4b400, aDocument=0x7fffd61bb800, aState=0x0, aForceReuseInnerWindow=0) at /home/sfink/src/TM-singlestep/dom/base/nsGlobalWindow.cpp:1982 #8 0x00007ffff572b5af in DocumentViewerImpl::InitInternal (this=0x7fffd6025080, aParentWidget=0x0, aState=0x0, aBounds=..., aDoCreation=1, aNeedMakeCX=1) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:956 #9 0x00007ffff572a25e in DocumentViewerImpl::Init (this=0x7fffd6025080, aParentWidget=0x0, aBounds=...) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:693 #10 0x00007ffff6443223 in nsDocShell::SetupNewViewer (this=0x7fffddd4ac00, aNewViewer=0x7fffd6025080) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7619 #11 0x00007ffff643b593 in nsDocShell::Embed (this=0x7fffddd4ac00, aContentViewer=0x7fffd6025080, aCommand=0x7ffff72366eb "", aExtraInfo=0x0) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:5716 #12 0x00007ffff6441fcc in nsDocShell::CreateContentViewer (this=0x7fffddd4ac00, aContentType=0x7fffd604dc18 "text/html", request=0x7fffddcd4b80, aContentHandler=0x7fffd6050df0) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7406 #13 0x00007ffff645dbae in nsDSURIContentListener::DoContent (this=0x7fffddd56330, aContentType=0x7fffd604dc18 "text/html", aIsContentPreferred=0, request=0x7fffddcd4b80, aContentHandler=0x7fffd6050df0, aAbortProcess=0x7fffffffcf1c) at /home/sfink/src/TM-singlestep/docshell/base/nsDSURIContentListener.cpp:148 #14 0x00007ffff6466360 in nsDocumentOpenInfo::TryContentListener (this=0x7fffd6050dd0, aListener=0x7fffddd56330, aChannel=0x7fffddcd4b80) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:757 #15 0x00007ffff6464f55 in nsDocumentOpenInfo::DispatchContent (this=0x7fffd6050dd0, request=0x7fffddcd4b80, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:455 #16 0x00007ffff64644f7 in nsDocumentOpenInfo::OnStartRequest (this=0x7fffd6050dd0, request=0x7fffddcd4b80, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:295 #17 0x00007ffff54730b3 in nsBaseChannel::OnStartRequest (this=0x7fffddcd4b30, request=0x7fffdd563d80, ctxt=0x0) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsBaseChannel.cpp:712 #18 0x00007ffff5487d20 in nsInputStreamPump::OnStateStart (this=0x7fffdd563d80) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:441 #19 0x00007ffff5487b50 in nsInputStreamPump::OnInputStreamReady (this=0x7fffdd563d80, stream=0x7fffe2b7f9c8) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:397 #20 0x00007ffff6b43679 in nsInputStreamReadyEvent::Run (this=0x7fffe4eca380) at /home/sfink/src/TM-singlestep/xpcom/io/nsStreamUtils.cpp:112 #21 0x00007ffff6b6ea44 in nsThread::ProcessNextEvent (this=0x7fffebd04d80, mayWait=0, result=0x7fffffffd5fc) at /home/sfink/src/TM-singlestep/xpcom/threads/nsThread.cpp:626 #22 0x00007ffff6af88e4 in NS_ProcessNextEvent_P (thread=0x7fffebd04d80, mayWait=0) at nsThreadUtils.cpp:250 #23 0x00007ffff693ec1a in mozilla::ipc::MessagePump::Run (this=0x7fffebd14080, aDelegate=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/glue/MessagePump.cpp:110 #24 0x00007ffff6bd88eb in MessageLoop::RunInternal (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:219 #25 0x00007ffff6bd8870 in MessageLoop::RunHandler (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:202 #26 0x00007ffff6bd8801 in MessageLoop::Run (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:176 #27 0x00007ffff67d8fc7 in nsBaseAppShell::Run (this=0x7fffe8796500) at /home/sfink/src/TM-singlestep/widget/src/xpwidgets/nsBaseAppShell.cpp:181 #28 0x00007ffff652148d in nsAppStartup::Run (this=0x7fffe87adb00) at /home/sfink/src/TM-singlestep/toolkit/components/startup/src/nsAppStartup.cpp:191 #29 0x00007ffff54336d2 in XRE_main (argc=5, argv=0x7fffffffe258, aAppData=0x7ffff2c27080) at /home/sfink/src/TM-singlestep/toolkit/xre/nsAppRunner.cpp:3691 #30 0x0000000000401d0c in main (argc=5, argv=0x7fffffffe258) at /home/sfink/src/TM-singlestep/browser/app/nsBrowserApp.cpp:158 And this is the stack where C2 was created (which only happened after sample.html was done executing): #0 JSCompartment::JSCompartment (this=0x7fffdb172c00, rt=0x7fffea89e000) at /home/sfink/src/TM-singlestep/js/src/jscompartment.cpp:60 #1 0x00007ffff475c95b in js::gc::NewCompartment (cx=0x7fffddd4b800, principals=0x7fffe3885868) at /home/sfink/src/TM-singlestep/js/src/jsgc.cpp:2609 #2 0x00007ffff46d4a55 in JS_NewCompartmentAndGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principals=0x7fffe3885868) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:2969 #3 0x00007ffff62f8900 in CreateNewCompartment (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffe3885860, priv=0x7fffdb184740, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:964 #4 0x00007ffff62f8bfb in xpc_CreateGlobalObject (cx=0x7fffddd4b800, clasp=0x7ffff7f89200, principal=0x7fffe3885860, ptr=0x0, wantXrays=false, global=0x7fffffffc270, compartment=0x7fffffffc278) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1002 #5 0x00007ffff62f905a in nsXPConnect::InitClassesWithNewWrappedGlobal (this=0x7fffebd35f50, aJSContext=0x7fffddd4b800, aCOMObj=0x7fffdb172878, aIID=..., aPrincipal=0x7fffe3885860, aExtraPtr=0x0, aFlags=0, _retval=0x7fffffffc340) at /home/sfink/src/TM-singlestep/js/src/xpconnect/src/nsXPConnect.cpp:1089 #6 0x00007ffff5d970c0 in nsJSContext::CreateNativeGlobalForInner (this=0x7fffdde939e0, aNewInner=0x7fffdb172878, aIsChrome=0, aPrincipal=0x7fffe3885860, aNativeGlobal=0x7fffdb172a30, aHolder=0x7fffddd4b5d8) at /home/sfink/src/TM-singlestep/dom/base/nsJSEnvironment.cpp:2540 #7 0x00007ffff5db6649 in nsGlobalWindow::SetNewDocument (this=0x7fffddd4b400, aDocument=0x7fffdb160000, aState=0x0, aForceReuseInnerWindow=0) at /home/sfink/src/TM-singlestep/dom/base/nsGlobalWindow.cpp:1982 #8 0x00007ffff572b5af in DocumentViewerImpl::InitInternal (this=0x7fffdb179280, aParentWidget=0x0, aState=0x0, aBounds=..., aDoCreation=1, aNeedMakeCX=1) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:956 #9 0x00007ffff572a25e in DocumentViewerImpl::Init (this=0x7fffdb179280, aParentWidget=0x0, aBounds=...) at /home/sfink/src/TM-singlestep/layout/base/nsDocumentViewer.cpp:693 #10 0x00007ffff6443223 in nsDocShell::SetupNewViewer (this=0x7fffddd4ac00, aNewViewer=0x7fffdb179280) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7619 #11 0x00007ffff643b593 in nsDocShell::Embed (this=0x7fffddd4ac00, aContentViewer=0x7fffdb179280, aCommand=0x7ffff72366eb "", aExtraInfo=0x0) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:5716 #12 0x00007ffff6441fcc in nsDocShell::CreateContentViewer (this=0x7fffddd4ac00, aContentType=0x7fffdb132f18 "text/html", request=0x7fffddcd6a60, aContentHandler=0x7fffddbb1f30) at /home/sfink/src/TM-singlestep/docshell/base/nsDocShell.cpp:7406 #13 0x00007ffff645dbae in nsDSURIContentListener::DoContent (this=0x7fffddd56330, aContentType=0x7fffdb132f18 "text/html", aIsContentPreferred=0, request=0x7fffddcd6a60, aContentHandler=0x7fffddbb1f30, aAbortProcess=0x7fffffffcf1c) at /home/sfink/src/TM-singlestep/docshell/base/nsDSURIContentListener.cpp:148 #14 0x00007ffff6466360 in nsDocumentOpenInfo::TryContentListener (this=0x7fffddbb1f10, aListener=0x7fffddd56330, aChannel=0x7fffddcd6a60) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:757 #15 0x00007ffff6464f55 in nsDocumentOpenInfo::DispatchContent (this=0x7fffddbb1f10, request=0x7fffddcd6a60, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:455 #16 0x00007ffff64644f7 in nsDocumentOpenInfo::OnStartRequest (this=0x7fffddbb1f10, request=0x7fffddcd6a60, aCtxt=0x0) at /home/sfink/src/TM-singlestep/uriloader/base/nsURILoader.cpp:295 #17 0x00007ffff54730b3 in nsBaseChannel::OnStartRequest (this=0x7fffddcd6a10, request=0x7fffddbd7300, ctxt=0x0) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsBaseChannel.cpp:712 #18 0x00007ffff5487d20 in nsInputStreamPump::OnStateStart (this=0x7fffddbd7300) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:441 #19 0x00007ffff5487b50 in nsInputStreamPump::OnInputStreamReady (this=0x7fffddbd7300, stream=0x7fffddbd29e8) at /home/sfink/src/TM-singlestep/netwerk/base/src/nsInputStreamPump.cpp:397 #20 0x00007ffff6b43679 in nsInputStreamReadyEvent::Run (this=0x7fffdda2c480) at /home/sfink/src/TM-singlestep/xpcom/io/nsStreamUtils.cpp:112 #21 0x00007ffff6b6ea44 in nsThread::ProcessNextEvent (this=0x7fffebd04d80, mayWait=0, result=0x7fffffffd5fc) at /home/sfink/src/TM-singlestep/xpcom/threads/nsThread.cpp:626 #22 0x00007ffff6af88e4 in NS_ProcessNextEvent_P (thread=0x7fffebd04d80, mayWait=0) at nsThreadUtils.cpp:250 #23 0x00007ffff693ec1a in mozilla::ipc::MessagePump::Run (this=0x7fffebd14080, aDelegate=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/glue/MessagePump.cpp:110 #24 0x00007ffff6bd88eb in MessageLoop::RunInternal (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:219 #25 0x00007ffff6bd8870 in MessageLoop::RunHandler (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:202 #26 0x00007ffff6bd8801 in MessageLoop::Run (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:176 #27 0x00007ffff67d8fc7 in nsBaseAppShell::Run (this=0x7fffe8796500) at /home/sfink/src/TM-singlestep/widget/src/xpwidgets/nsBaseAppShell.cpp:181 #28 0x00007ffff652148d in nsAppStartup::Run (this=0x7fffe87adb00) at /home/sfink/src/TM-singlestep/toolkit/components/startup/src/nsAppStartup.cpp:191 #29 0x00007ffff54336d2 in XRE_main (argc=5, argv=0x7fffffffe258, aAppData=0x7ffff2c27080) at /home/sfink/src/TM-singlestep/toolkit/xre/nsAppRunner.cpp:3691 #30 0x0000000000401d0c in main (argc=5, argv=0x7fffffffe258) at /home/sfink/src/TM-singlestep/browser/app/nsBrowserApp.cpp:158 Here's the 'obj' parameter (at the time of executing sample.html, but from a different run than the above stacks): object 0x7fffddc6d120 class 0x7fffde1d02c8 Window flags: delegate own_shape has_equality hasPropertyTable properties: enumerate permanent "y": slot 138 enumerate permanent "x": slot 137 permanent "WindowUtils": slot 136 permanent "XPathResult": slot 135 permanent "StyleSheetList": slot 134 permanent "Location": slot 133 enumerate getter shared "InstallTrigger": slot -1 enumerate readonly "document": slot 132 permanent "Node": slot 131 permanent "Document": slot 130 permanent "HTMLDocument": slot 129 "_options": slot 128 "netscape": slot 127 enumerate readonly permanent "window": slot 126 readonly permanent "XPCNativeWrapper": slot 125 readonly permanent "Components": slot 124 "eval": slot 123 "Object": slot 81 "Function": slot 82 proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x7fffddc99108> parent null private 0x7fffd92047b0 slots: 0 (reserved) = undefined 1 (reserved) = <function Object at 0x7fffddc4ae80 (JSFunction at 0x7fffddc4ae80)> 2 (reserved) = <function Function at 0x7fffddc4ab00 (JSFunction at 0x7fffddc4ab00)> 3 (reserved) = undefined 4 (reserved) = undefined 5 (reserved) = undefined 6 (reserved) = undefined 7 (reserved) = undefined 8 (reserved) = undefined 9 (reserved) = undefined 10 (reserved) = undefined 11 (reserved) = undefined 12 (reserved) = undefined 13 (reserved) = undefined 14 (reserved) = undefined 15 (reserved) = undefined 16 (reserved) = undefined 17 (reserved) = undefined 18 (reserved) = undefined 19 (reserved) = undefined 20 (reserved) = undefined 21 (reserved) = undefined 22 (reserved) = undefined 23 (reserved) = undefined 24 (reserved) = undefined 25 (reserved) = undefined 26 (reserved) = undefined 27 (reserved) = undefined 28 (reserved) = undefined 29 (reserved) = undefined 30 (reserved) = undefined 31 (reserved) = undefined 32 (reserved) = undefined 33 (reserved) = undefined 34 (reserved) = undefined 35 (reserved) = undefined 36 (reserved) = undefined 37 (reserved) = undefined 38 (reserved) = undefined 39 (reserved) = undefined 40 (reserved) = undefined 41 (reserved) = <Object at 0x7fffddc6d1b0> 42 (reserved) = <unnamed function at 0x7fffddc4aa80 (JSFunction at 0x7fffddc4aa80)> 43 (reserved) = undefined 44 (reserved) = undefined 45 (reserved) = undefined 46 (reserved) = undefined 47 (reserved) = undefined 48 (reserved) = undefined 49 (reserved) = undefined 50 (reserved) = undefined 51 (reserved) = undefined 52 (reserved) = undefined 53 (reserved) = undefined 54 (reserved) = undefined 55 (reserved) = undefined 56 (reserved) = undefined 57 (reserved) = undefined 58 (reserved) = undefined 59 (reserved) = undefined 60 (reserved) = undefined 61 (reserved) = undefined 62 (reserved) = undefined 63 (reserved) = undefined 64 (reserved) = undefined 65 (reserved) = undefined 66 (reserved) = undefined 67 (reserved) = undefined 68 (reserved) = undefined 69 (reserved) = undefined 70 (reserved) = undefined 71 (reserved) = undefined 72 (reserved) = undefined 73 (reserved) = undefined 74 (reserved) = undefined 75 (reserved) = undefined 76 (reserved) = undefined 77 (reserved) = undefined 78 (reserved) = undefined 79 (reserved) = undefined 80 (reserved) = undefined 81 (reserved) = <function Object at 0x7fffddc4ae80 (JSFunction at 0x7fffddc4ae80)> 82 (reserved) = <function Function at 0x7fffddc4ab00 (JSFunction at 0x7fffddc4ab00)> 83 (reserved) = undefined 84 (reserved) = undefined 85 (reserved) = undefined 86 (reserved) = undefined 87 (reserved) = undefined 88 (reserved) = undefined 89 (reserved) = undefined 90 (reserved) = undefined 91 (reserved) = undefined 92 (reserved) = undefined 93 (reserved) = undefined 94 (reserved) = undefined 95 (reserved) = undefined 96 (reserved) = undefined 97 (reserved) = undefined 98 (reserved) = undefined 99 (reserved) = undefined 100 (reserved) = undefined 101 (reserved) = undefined 102 (reserved) = undefined 103 (reserved) = undefined 104 (reserved) = undefined 105 (reserved) = undefined 106 (reserved) = undefined 107 (reserved) = undefined 108 (reserved) = undefined 109 (reserved) = undefined 110 (reserved) = undefined 111 (reserved) = undefined 112 (reserved) = undefined 113 (reserved) = undefined 114 (reserved) = undefined 115 (reserved) = undefined 116 (reserved) = undefined 117 (reserved) = undefined 118 (reserved) = undefined 119 (reserved) = undefined 120 (reserved) = undefined 121 (reserved) = <unnamed function at 0x7fffddc4ae00 (JSFunction at 0x7fffddc4ae00)> 122 (reserved) = <RegExpStatics object at 0x7fffddc6d168> 123 = <function eval at 0x7fffddc4cc80 (JSFunction at 0x7fffddc4cc80)> 124 = <nsXPCComponents object at 0x7fffddc991b8> 125 = <function XPCNativeWrapper at 0x7fffddc4cd00 (JSFunction at 0x7fffddc4cd00)> 126 = <Proxy object at 0x7fffddc4b068> 127 = <Object at 0x7fffddc6d240> 128 = <JSOptions object at 0x7fffddc6d318> 129 = <DOMPrototype object at 0x7fffddc992c0> 130 = <DOMPrototype object at 0x7fffddc99318> 131 = <DOMPrototype object at 0x7fffddc99370> 132 = <HTMLDocument object at 0x7fffddc993c8> 133 = <DOMPrototype object at 0x7fffddc99478> 134 = <DOMPrototype object at 0x7fffddc99580> 135 = <DOMPrototype object at 0x7fffddc99688> 136 = <DOMPrototype object at 0x7fffddc99898> 137 = undefined 138 = undefined And here's the second 'obj', before the 2nd evaluate: object 0x7fffddc9a120 class 0x7fffde1d02c8 Window flags: delegate own_shape has_equality hasPropertyTable properties: enumerate permanent "f": slot 136 enumerate permanent "y": slot 135 enumerate permanent "x": slot 134 permanent "Location": slot 133 enumerate getter shared "InstallTrigger": slot -1 enumerate readonly "document": slot 132 permanent "Node": slot 131 permanent "Document": slot 130 permanent "HTMLDocument": slot 129 "_options": slot 128 "netscape": slot 127 enumerate readonly permanent "window": slot 126 readonly permanent "XPCNativeWrapper": slot 125 readonly permanent "Components": slot 124 "eval": slot 123 "Object": slot 81 "Function": slot 82 proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x7fffddc9e108> parent null private 0x7fffd6983cf0 slots: 0 (reserved) = undefined 1 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)> 2 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)> 3 (reserved) = undefined 4 (reserved) = undefined 5 (reserved) = undefined 6 (reserved) = undefined 7 (reserved) = undefined 8 (reserved) = undefined 9 (reserved) = undefined 10 (reserved) = undefined 11 (reserved) = undefined 12 (reserved) = undefined 13 (reserved) = undefined 14 (reserved) = undefined 15 (reserved) = undefined 16 (reserved) = undefined 17 (reserved) = undefined 18 (reserved) = undefined 19 (reserved) = undefined 20 (reserved) = undefined 21 (reserved) = undefined 22 (reserved) = undefined 23 (reserved) = undefined 24 (reserved) = undefined 25 (reserved) = undefined 26 (reserved) = undefined 27 (reserved) = undefined 28 (reserved) = undefined 29 (reserved) = undefined 30 (reserved) = undefined 31 (reserved) = undefined 32 (reserved) = undefined 33 (reserved) = undefined 34 (reserved) = undefined 35 (reserved) = undefined 36 (reserved) = undefined 37 (reserved) = undefined 38 (reserved) = undefined 39 (reserved) = undefined 40 (reserved) = undefined 41 (reserved) = <Object at 0x7fffddc9a1b0> 42 (reserved) = <unnamed function at 0x7fffddce7a80 (JSFunction at 0x7fffddce7a80)> 43 (reserved) = undefined 44 (reserved) = undefined 45 (reserved) = undefined 46 (reserved) = undefined 47 (reserved) = undefined 48 (reserved) = undefined 49 (reserved) = undefined 50 (reserved) = undefined 51 (reserved) = undefined 52 (reserved) = undefined 53 (reserved) = undefined 54 (reserved) = undefined 55 (reserved) = undefined 56 (reserved) = undefined 57 (reserved) = undefined 58 (reserved) = undefined 59 (reserved) = undefined 60 (reserved) = undefined 61 (reserved) = undefined 62 (reserved) = undefined 63 (reserved) = undefined 64 (reserved) = undefined 65 (reserved) = undefined 66 (reserved) = undefined 67 (reserved) = undefined 68 (reserved) = undefined 69 (reserved) = undefined 70 (reserved) = undefined 71 (reserved) = undefined 72 (reserved) = undefined 73 (reserved) = undefined 74 (reserved) = undefined 75 (reserved) = undefined 76 (reserved) = undefined 77 (reserved) = undefined 78 (reserved) = undefined 79 (reserved) = undefined 80 (reserved) = undefined 81 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)> 82 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)> 83 (reserved) = undefined 84 (reserved) = undefined 85 (reserved) = undefined 86 (reserved) = undefined 87 (reserved) = undefined 88 (reserved) = undefined 89 (reserved) = undefined 90 (reserved) = undefined 91 (reserved) = undefined 92 (reserved) = undefined 93 (reserved) = undefined 94 (reserved) = undefined 95 (reserved) = undefined 96 (reserved) = undefined 97 (reserved) = undefined 98 (reserved) = undefined 99 (reserved) = undefined 100 (reserved) = undefined 101 (reserved) = undefined 102 (reserved) = undefined 103 (reserved) = undefined 104 (reserved) = undefined 105 (reserved) = undefined 106 (reserved) = undefined 107 (reserved) = undefined 108 (reserved) = undefined 109 (reserved) = undefined 110 (reserved) = undefined 111 (reserved) = undefined 112 (reserved) = undefined 113 (reserved) = undefined 114 (reserved) = undefined 115 (reserved) = undefined 116 (reserved) = undefined 117 (reserved) = undefined 118 (reserved) = undefined 119 (reserved) = undefined 120 (reserved) = undefined 121 (reserved) = <unnamed function at 0x7fffddce7e00 (JSFunction at 0x7fffddce7e00)> 122 (reserved) = <RegExpStatics object at 0x7fffddc9a168> 123 = <function eval at 0x7fffddce9c80 (JSFunction at 0x7fffddce9c80)> 124 = <nsXPCComponents object at 0x7fffddc9e1b8> 125 = <function XPCNativeWrapper at 0x7fffddce9d00 (JSFunction at 0x7fffddce9d00)> 126 = <Proxy object at 0x7fffddc93068> 127 = <Object at 0x7fffddc9a240> 128 = <JSOptions object at 0x7fffddc9a318> 129 = <DOMPrototype object at 0x7fffddc9e2c0> 130 = <DOMPrototype object at 0x7fffddc9e318> 131 = <DOMPrototype object at 0x7fffddc9e370> 132 = <HTMLDocument object at 0x7fffddc9e3c8> 133 = <DOMPrototype object at 0x7fffddc9e478> 134 = undefined 135 = undefined 136 = <function f at 0x7fffddc95200 (JSFunction at 0x7fffddc95200)> and after the call (when the compartment has changed): object 0x7fffddc9a120 class 0x7fffde1d02c8 Window flags: delegate branded own_shape has_equality inDictionaryMode hasPropertyTable properties: enumerate "z": slot 177 permanent "MutationEvent": slot 176 permanent "HTMLHeadElement": slot 175 permanent "HTMLStyleElement": slot 174 permanent "StyleSheetList": slot 173 permanent "Event": slot 172 permanent "PageTransitionEvent": slot 171 permanent "MozURLProperty": slot 170 enumerate permanent "location": slot 169 permanent "Controllers": slot 168 permanent "XULControllers": slot 167 permanent "Crypto": slot 166 permanent "History": slot 165 permanent "Screen": slot 164 enumerate readonly permanent "navigator": slot 163 permanent "Navigator": slot 162 permanent "OfflineResourceList": slot 161 permanent "BarProp": slot 160 getter setter shared "moz_indexedDB": slot -1 permanent "IDBFactory": slot 159 permanent "Storage": slot 158 permanent "StorageList": slot 157 permanent "DOMException": slot 156 "URIError": slot 155 "TypeError": slot 154 "SyntaxError": slot 153 "ReferenceError": slot 152 "RangeError": slot 151 "EvalError": slot 150 "InternalError": slot 149 "Error": slot 148 enumerate "InstallTrigger": slot 147 enumerate "toString": slot 146 enumerate "getInterface": slot 145 enumerate "constructor": slot 144 permanent "Window": slot 143 permanent "HTMLScriptElement": slot 142 permanent "HTMLCollection": slot 141 permanent "Element": slot 140 permanent "HTMLElement": slot 139 permanent "HTMLHtmlElement": slot 138 permanent "WindowUtils": slot 137 enumerate permanent "f": slot 136 enumerate permanent "y": slot 135 enumerate permanent "x": slot 134 permanent "Location": slot 133 enumerate readonly "document": slot 132 permanent "Node": slot 131 permanent "Document": slot 130 permanent "HTMLDocument": slot 129 "_options": slot 128 "netscape": slot 127 enumerate readonly permanent "window": slot 126 readonly permanent "XPCNativeWrapper": slot 125 readonly permanent "Components": slot 124 "eval": slot 123 "Object": slot 81 "Function": slot 82 proto <XPC_WN_ModsAllowed_NoCall_Proto_JSClass object at 0x7fffddc9e108> parent null private 0x7fffd6983cf0 slots: 0 (reserved) = undefined 1 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)> 2 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)> 3 (reserved) = undefined 4 (reserved) = undefined 5 (reserved) = undefined 6 (reserved) = undefined 7 (reserved) = undefined 8 (reserved) = undefined 9 (reserved) = undefined 10 (reserved) = undefined 11 (reserved) = undefined 12 (reserved) = undefined 13 (reserved) = undefined 14 (reserved) = undefined 15 (reserved) = undefined 16 (reserved) = <function Error at 0x7fffd6b88580 (JSFunction at 0x7fffd6b88580)> 17 (reserved) = <function InternalError at 0x7fffd6b88600 (JSFunction at 0x7fffd6b88600)> 18 (reserved) = <function EvalError at 0x7fffd6b88680 (JSFunction at 0x7fffd6b88680)> 19 (reserved) = <function RangeError at 0x7fffd6b88700 (JSFunction at 0x7fffd6b88700)> 20 (reserved) = <function ReferenceError at 0x7fffd6b88780 (JSFunction at 0x7fffd6b88780)> 21 (reserved) = <function SyntaxError at 0x7fffd6b88800 (JSFunction at 0x7fffd6b88800)> 22 (reserved) = <function TypeError at 0x7fffd6b88880 (JSFunction at 0x7fffd6b88880)> 23 (reserved) = <function URIError at 0x7fffd6b88900 (JSFunction at 0x7fffd6b88900)> 24 (reserved) = undefined 25 (reserved) = undefined 26 (reserved) = undefined 27 (reserved) = undefined 28 (reserved) = undefined 29 (reserved) = undefined 30 (reserved) = undefined 31 (reserved) = undefined 32 (reserved) = undefined 33 (reserved) = undefined 34 (reserved) = undefined 35 (reserved) = undefined 36 (reserved) = undefined 37 (reserved) = undefined 38 (reserved) = undefined 39 (reserved) = undefined 40 (reserved) = undefined 41 (reserved) = <Object at 0x7fffddc9a1b0> 42 (reserved) = <unnamed function at 0x7fffddce7a80 (JSFunction at 0x7fffddce7a80)> 43 (reserved) = undefined 44 (reserved) = undefined 45 (reserved) = undefined 46 (reserved) = undefined 47 (reserved) = undefined 48 (reserved) = undefined 49 (reserved) = undefined 50 (reserved) = undefined 51 (reserved) = undefined 52 (reserved) = undefined 53 (reserved) = undefined 54 (reserved) = undefined 55 (reserved) = undefined 56 (reserved) = <Error object at 0x7fffddc9a558> 57 (reserved) = <Error object at 0x7fffddc9a5a0> 58 (reserved) = <Error object at 0x7fffddc9a5e8> 59 (reserved) = <Error object at 0x7fffddc9a630> 60 (reserved) = <Error object at 0x7fffddc9a678> 61 (reserved) = <Error object at 0x7fffddc9a6c0> 62 (reserved) = <Error object at 0x7fffddc9a708> 63 (reserved) = <Error object at 0x7fffddc9a750> 64 (reserved) = undefined 65 (reserved) = undefined 66 (reserved) = undefined 67 (reserved) = undefined 68 (reserved) = undefined 69 (reserved) = undefined 70 (reserved) = undefined 71 (reserved) = undefined 72 (reserved) = undefined 73 (reserved) = undefined 74 (reserved) = undefined 75 (reserved) = undefined 76 (reserved) = undefined 77 (reserved) = undefined 78 (reserved) = undefined 79 (reserved) = undefined 80 (reserved) = undefined 81 (reserved) = <function Object at 0x7fffddce7e80 (JSFunction at 0x7fffddce7e80)> 82 (reserved) = <function Function at 0x7fffddce7b00 (JSFunction at 0x7fffddce7b00)> 83 (reserved) = undefined 84 (reserved) = undefined 85 (reserved) = undefined 86 (reserved) = undefined 87 (reserved) = undefined 88 (reserved) = undefined 89 (reserved) = undefined 90 (reserved) = undefined 91 (reserved) = undefined 92 (reserved) = undefined 93 (reserved) = undefined 94 (reserved) = undefined 95 (reserved) = undefined 96 (reserved) = undefined 97 (reserved) = undefined 98 (reserved) = undefined 99 (reserved) = undefined 100 (reserved) = undefined 101 (reserved) = undefined 102 (reserved) = undefined 103 (reserved) = undefined 104 (reserved) = undefined 105 (reserved) = undefined 106 (reserved) = undefined 107 (reserved) = undefined 108 (reserved) = undefined 109 (reserved) = undefined 110 (reserved) = undefined 111 (reserved) = undefined 112 (reserved) = undefined 113 (reserved) = undefined 114 (reserved) = undefined 115 (reserved) = undefined 116 (reserved) = undefined 117 (reserved) = undefined 118 (reserved) = undefined 119 (reserved) = undefined 120 (reserved) = undefined 121 (reserved) = <unnamed function at 0x7fffddce7e00 (JSFunction at 0x7fffddce7e00)> 122 (reserved) = <RegExpStatics object at 0x7fffddc9a168> 123 = <function eval at 0x7fffddce9c80 (JSFunction at 0x7fffddce9c80)> 124 = <nsXPCComponents object at 0x7fffddc9e1b8> 125 = <function XPCNativeWrapper at 0x7fffddce9d00 (JSFunction at 0x7fffddce9d00)> 126 = <Proxy object at 0x7fffddc93068> 127 = <Object at 0x7fffddc9a240> 128 = <JSOptions object at 0x7fffddc9a318> 129 = <DOMPrototype object at 0x7fffddc9e2c0> 130 = <DOMPrototype object at 0x7fffddc9e318> 131 = <DOMPrototype object at 0x7fffddc9e370> 132 = <HTMLDocument object at 0x7fffddc9e3c8> 133 = <DOMPrototype object at 0x7fffddc9e478> 134 = 5 135 = 3 136 = <function f at 0x7fffddc95200 (JSFunction at 0x7fffddc95200)> 137 = <DOMPrototype object at 0x7fffddc9e630> 138 = <DOMPrototype object at 0x7fffddc9e738> 139 = <DOMPrototype object at 0x7fffddc9e7e8> 140 = <DOMPrototype object at 0x7fffddc9e898> 141 = <DOMPrototype object at 0x7fffddc9e9a0> 142 = <DOMPrototype object at 0x7fffddc9eb00> 143 = <DOMPrototype object at 0x7fffddc9ec08> 144 = <DOMPrototype object at 0x7fffddc9ec08> 145 = <function getInterface at 0x7fffd6b83e00 (JSFunction at 0x7fffd6b83e00)> 146 = <Proxy object at 0x7fffddc1fc38> 147 = <Proxy object at 0x7fffddc93a90> 148 = <function Error at 0x7fffd6b88580 (JSFunction at 0x7fffd6b88580)> 149 = <function InternalError at 0x7fffd6b88600 (JSFunction at 0x7fffd6b88600)> 150 = <function EvalError at 0x7fffd6b88680 (JSFunction at 0x7fffd6b88680)> 151 = <function RangeError at 0x7fffd6b88700 (JSFunction at 0x7fffd6b88700)> 152 = <function ReferenceError at 0x7fffd6b88780 (JSFunction at 0x7fffd6b88780)> 153 = <function SyntaxError at 0x7fffd6b88800 (JSFunction at 0x7fffd6b88800)> 154 = <function TypeError at 0x7fffd6b88880 (JSFunction at 0x7fffd6b88880)> 155 = <function URIError at 0x7fffd6b88900 (JSFunction at 0x7fffd6b88900)> 156 = <DOMPrototype object at 0x7fffddc9ecb8> 157 = <DOMPrototype object at 0x7fffddc9edc0> 158 = <DOMPrototype object at 0x7fffddc9eec8> 159 = <DOMPrototype object at 0x7fffd6b1b058> 160 = <DOMPrototype object at 0x7fffd6b1b160> 161 = <DOMPrototype object at 0x7fffd6b1b268> 162 = <DOMPrototype object at 0x7fffd6b1b370> 163 = <Navigator object at 0x7fffd6b1b3c8> 164 = <DOMPrototype object at 0x7fffd6b1b478> 165 = <DOMPrototype object at 0x7fffd6b1b580> 166 = <DOMPrototype object at 0x7fffd6b1b840> 167 = <DOMPrototype object at 0x7fffd6b1b948> 168 = <DOMPrototype object at 0x7fffd6b1b9a0> 169 = <Proxy object at 0x7fffddc93270> 170 = <DOMPrototype object at 0x7fffd6b1baa8> 171 = <DOMPrototype object at 0x7fffd5153108> 172 = <DOMPrototype object at 0x7fffd51531b8> 173 = <DOMPrototype object at 0x7fffd51532c0> 174 = <DOMPrototype object at 0x7fffd51533c8> 175 = <DOMPrototype object at 0x7fffd5153528> 176 = <DOMPrototype object at 0x7fffd5153630> 177 = 0.333333 I couldn't get a good snapshot of when cx's compartment gets reverted from C2 back to C1, because it changes repeatedly due to cross-compartment calls. I suppose I could set a hardware watchpoint that dumps the stack and continues, so I could catch the last one, but I'm out of time to play at the moment. And gdb doesn't do very good backtraces when JM is on the stack, at least for x86_64.

if i were you, i'd do printf debugging, you should be able to print the obj pointer, cx pointer, compartment and whatever change request is floating around. after you crash you can go back and pair things up.

Here's the stack for the last time cx->compartment got reverted to C1. Hopefully it means something to somebody. #0 JSContext::resetCompartment (this=0x7fffde414400) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:2067 #1 0x00007ffff46e9847 in JSContext::setCurrentRegs (this=0x7fffde414400, regs=0x0) at /home/sfink/src/TM-singlestep/js/src/jscntxt.h:1967 #2 0x00007ffff46fc660 in JSContext::popSegmentAndFrame (this=0x7fffde414400) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:2097 #3 0x00007ffff46f8431 in js::StackSpace::popSegmentAndFrame (this=0x7fffe9602028, cx=0x7fffde414400) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:341 #4 0x00007ffff46f8507 in js::FrameGuard::~FrameGuard (this=0x7fffffffc760, __in_chrg=<value optimized out>) at /home/sfink/src/TM-singlestep/js/src/jscntxt.cpp:351 #5 0x00007ffff4791822 in js::ExecuteFrameGuard::~ExecuteFrameGuard (this=0x7fffffffc760, __in_chrg=<value optimized out>) at /home/sfink/src/TM-singlestep/js/src/jscntxt.h:558 #6 0x00007ffff478ea81 in js::Execute (cx=0x7fffde414400, chain=0x7fffda5a5120, script=0x7fffdb8a1bc0, prev=0x0, flags=0, result=0x0) at /home/sfink/src/TM-singlestep/js/src/jsinterp.cpp:1016 #7 0x00007ffff46c795b in JS_EvaluateUCScriptForPrincipals (cx=0x7fffde414400, obj=0x7fffda5a5120, principals=0x7fffde248ee8, chars=0x7fffd894e2c8, length=154, filename=0x7fffe2a0f108 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=4, rval=0x0) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:4877 #8 0x00007ffff46c7739 in JS_EvaluateUCScriptForPrincipalsVersion (cx=0x7fffde414400, obj=0x7fffda5a5120, principals=0x7fffde248ee8, chars=0x7fffd894e2c8, length=154, filename=0x7fffe2a0f108 "file:///home/sfink/src/TM-singlestep/sample2.html", lineno=4, rval=0x0, version=JSVERSION_DEFAULT) at /home/sfink/src/TM-singlestep/js/src/jsapi.cpp:4851 #9 0x00007ffff5d87c4c in nsJSContext::EvaluateString (this=0x7fffde5e8dd0, aScript=..., aScopeObject=0x7fffda5a5120, aPrincipal=0x7fffde248ee0, aURL=0x7fffe2a0f108 "file:///home/sfink/src/TM-singlestep/sample2.html", aLineNo=4, aVersion=0, aRetValue=0x0, aIsUndefined=0x7fffffffcb7c) at /home/sfink/src/TM-singlestep/dom/base/nsJSEnvironment.cpp:1731 #10 0x00007ffff5ad6f1f in nsScriptLoader::EvaluateScript (this=0x7fffde2f9400, aRequest=0x7fffd89ad820, aScript=...) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptLoader.cpp:873 #11 0x00007ffff5ad6845 in nsScriptLoader::ProcessRequest (this=0x7fffde2f9400, aRequest=0x7fffd89ad820) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptLoader.cpp:772 #12 0x00007ffff5ad6517 in nsScriptLoader::ProcessScriptElement (this=0x7fffde2f9400, aElement=0x7fffddd886d0) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptLoader.cpp:718 #13 0x00007ffff5ad2ad7 in nsScriptElement::MaybeProcessScript (this=0x7fffddd886d0) at /home/sfink/src/TM-singlestep/content/base/src/nsScriptElement.cpp:167 #14 0x00007ffff5c25d3a in nsHTMLScriptElement::MaybeProcessScript (this=0x7fffddd88660) at /home/sfink/src/TM-singlestep/content/html/content/src/nsHTMLScriptElement.cpp:583 #15 0x00007ffff5c259fe in nsHTMLScriptElement::DoneAddingChildren (this=0x7fffddd88660, aHaveNotified=1) at /home/sfink/src/TM-singlestep/content/html/content/src/nsHTMLScriptElement.cpp:510 #16 0x00007ffff5f7d2df in nsHtml5TreeOpExecutor::RunScript (this=0x7fffd89a0560, aScriptElement=0x7fffddd88660) at /home/sfink/src/TM-singlestep/parser/html/nsHtml5TreeOpExecutor.cpp:730 #17 0x00007ffff5f7c920 in nsHtml5TreeOpExecutor::RunFlushLoop (this=0x7fffd89a0560) at /home/sfink/src/TM-singlestep/parser/html/nsHtml5TreeOpExecutor.cpp:525 #18 0x00007ffff5f83820 in nsHtml5ExecutorFlusher::Run() () from /home/sfink/src/TM-singlestep/obj/dist/bin/libxul.so #19 0x00007ffff6b683fc in nsThread::ProcessNextEvent (this=0x7fffebd04d80, mayWait=0, result=0x7fffffffd5fc) at /home/sfink/src/TM-singlestep/xpcom/threads/nsThread.cpp:626 #20 0x00007ffff6af1fb4 in NS_ProcessNextEvent_P (thread=0x7fffebd04d80, mayWait=0) at nsThreadUtils.cpp:250 #21 0x00007ffff693794a in mozilla::ipc::MessagePump::Run (this=0x7fffebd14080, aDelegate=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/glue/MessagePump.cpp:110 #22 0x00007ffff6bd1f13 in MessageLoop::RunInternal (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:219 #23 0x00007ffff6bd1e98 in MessageLoop::RunHandler (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:202 #24 0x00007ffff6bd1e29 in MessageLoop::Run (this=0x7fffebd251c0) at /home/sfink/src/TM-singlestep/ipc/chromium/src/base/message_loop.cc:176 #25 0x00007ffff67d129d in nsBaseAppShell::Run (this=0x7ffff2cfacc0) at /home/sfink/src/TM-singlestep/widget/src/xpwidgets/nsBaseAppShell.cpp:192 #26 0x00007ffff651801d in nsAppStartup::Run (this=0x7fffe90b39c0) at /home/sfink/src/TM-singlestep/toolkit/components/startup/src/nsAppStartup.cpp:191 #27 0x00007ffff542218a in XRE_main (argc=5, argv=0x7fffffffe258, aAppData=0x7ffff2c27080) at /home/sfink/src/TM-singlestep/toolkit/xre/nsAppRunner.cpp:3691 #28 0x0000000000401d0c in main (argc=5, argv=0x7fffffffe258) at /home/sfink/src/TM-singlestep/browser/app/nsBrowserApp.cpp:158 I don't know anything about this stuff, but it sort of looks like the cx->compartment reversion would be fine if script were truly done executing. But LAST_FRAME_CHECKS can still execute code, so LAST_FRAME_CHECKS should somehow be within the scope of the ExecuteFrameGuard. Or maybe I'm just totally off base. I don't understand why it's so hard to trigger.

As of 4ed3025c0be2, the above steps do not appear to crash anymore. With no patches, I was able to trigger the assert from 617870 by hitting random buttons, but with the fix from that applied I was unable to trigger any crash or assert at all. Are you still able to reproduce this on tip?

This can probably go under 619025 as this is more of a systemic issue.

This looks like the result of a broken patch to fix 609141 , I have a fix in that bug and I can't seem to get any more compartment mismatches.

Now that I untangled my hg tree (I somehow managed to set my default to pull from myself!), I've updated and have 4ed3025c0be2. Currently, I'm at 9aa8c290f633. I still get the same crash with what I thought were the same STR. I'll try applying your bug 609141 fix.

Try with both patches from bug 617870 and bug 609141, I believe both of those cover all compartment mismatch issues.

This is the patches from bug 617870 and bug 614131 merged, as they would otherwise need to depend on each other. This should resolve this problem as well.

Comment on attachment 497596 [details] [diff] [review] Proposed patch v0 You can get the script object and enter with that (nice patch otherwise, thanks!).

We can't get the script object since it might not exist, so we do that horrible dance to create a dummy global object for the scope chain.

Unfortunately, the crash is still 100% reproducible for me with this patch applied. I think this patch is good and still necessary, by the way, but it unfortunately doesn't fix this particular bug. adrake: I finally figured out one of the problems I was having yesterday, where I was not stopping at any breakpoints -- I was using a profile that pointed to my modified copy of firebug1.7, which made calls to a new JSD API entry I had added (enableSingleStepping). But I was running with unmodified TM + your patch, so that API entry didn't exist. Doh! When running with an unmodified firebug1.7, I still see the crash described in this bug, 100% of the time. Well, unless I hit the other bug first: I also still get the other bug (assertion: *pc == JSOP_GETARG), which still happens if and only if I am used a wired connection. See bug 619369.

Comment on attachment 497596 [details] [diff] [review] Proposed patch v0 I wish I could think of a way around this, but let's live with it for now. Thanks for taking this.

Alright, I've got it nailed down. Here's the failure mode: - Enter a nested event loop (such as a "breakpoint hit" context in firebug). - Try to go to navigate to any page in the same tab. - The following partial stack happens when the event triggering the navigation is serviced: #0 JS_SetGlobalObject (cx=0x7fffde6c2400, obj=0x7fffddcd5068) at /home/adrake/src/tm/js/src/jsapi.cpp:1371 #1 0x00007ffff59206ff in nsJSContext::SetOuterObject (this=0x7fffde6bd2e0, aOuterObject=0x7fffddcd5068) at /home/adrake/src/tm/dom/base/nsJSEnvironment.cpp:2657 #2 0x00007ffff593fe3d in nsGlobalWindow::SetNewDocument (this=0x7fffde6c2000, aDocument=0x7fffd838a800, aState=0x0, aForceReuseInnerWindow=0) at /home/adrake/src/tm/dom/base/nsGlobalWindow.cpp:2072 #3 0x00007ffff52b5691 in DocumentViewerImpl::InitInternal (this=0x7fffd8144900, aParentWidget=0x0, aState=0x0, aBounds=..., aDoCreation=1, aNeedMakeCX=1) at /home/adrake/src/tm/layout/base/nsDocumentViewer.cpp:956 #4 0x00007ffff52b4370 in DocumentViewerImpl::Init (this=0x7fffd8144900, aParentWidget=0x0, aBounds=...) at /home/adrake/src/tm/layout/base/nsDocumentViewer.cpp:693 #5 0x00007ffff5fcbdd3 in nsDocShell::SetupNewViewer (this=0x7fffde6c1800, aNewViewer=0x7fffd8144900) at /home/adrake/src/tm/docshell/base/nsDocShell.cpp:7622 #6 0x00007ffff5fc4143 in nsDocShell::Embed (this=0x7fffde6c1800, aContentViewer=0x7fffd8144900, aCommand=0x7ffff70c3903 "", aExtraInfo=0x0) at /home/adrake/src/tm/docshell/base/nsDocShell.cpp:5716 #7 0x00007ffff5fcab7c in nsDocShell::CreateContentViewer (this=0x7fffde6c1800, aContentType=0x7fffd82c6048 "text/html", request=0x7fffd811af00, aContentHandler=0x7fffd86892b0) at /home/adrake/src/tm/docshell/base/nsDocShell.cpp:7409 #8 0x00007ffff5fe676c in nsDSURIContentListener::DoContent (this=0x7fffde6189c0, aContentType=0x7fffd82c6048 "text/html", aIsContentPreferred=0, request=0x7fffd811af00, aContentHandler=0x7fffd86892b0, aAbortProcess=0x7fffffff5eac) at /home/adrake/src/tm/docshell/base/nsDSURIContentListener.cpp:148 #9 0x00007ffff5feef14 in nsDocumentOpenInfo::TryContentListener (this=0x7fffd8689290, aListener=0x7fffde6189c0, aChannel=0x7fffd811af00) at /home/adrake/src/tm/uriloader/base/nsURILoader.cpp:757 #10 0x00007ffff5fedb09 in nsDocumentOpenInfo::DispatchContent (this=0x7fffd8689290, request=0x7fffd811af00, aCtxt=0x0) at /home/adrake/src/tm/uriloader/base/nsURILoader.cpp:455 #11 0x00007ffff5fed0ab in nsDocumentOpenInfo::OnStartRequest (this=0x7fffd8689290, request=0x7fffd811af00, aCtxt=0x0) at /home/adrake/src/tm/uriloader/base/nsURILoader.cpp:295 #12 0x00007ffff4ff8a11 in nsBaseChannel::OnStartRequest (this=0x7fffd811aeb0, request=0x7fffd85c1780, ctxt=0x0) at /home/adrake/src/tm/netwerk/base/src/nsBaseChannel.cpp:712 #13 0x00007ffff500d7f4 in nsInputStreamPump::OnStateStart (this=0x7fffd85c1780) at /home/adrake/src/tm/netwerk/base/src/nsInputStreamPump.cpp:441 #14 0x00007ffff500d61a in nsInputStreamPump::OnInputStreamReady (this=0x7fffd85c1780, stream=0x7fffd85b9cf8) at /home/adrake/src/tm/netwerk/base/src/nsInputStreamPump.cpp:397 #15 0x00007ffff66cc225 in nsInputStreamReadyEvent::Run (this=0x7fffd82be780) at /home/adrake/src/tm/xpcom/io/nsStreamUtils.cpp:112 #16 0x00007ffff66f781e in nsThread::ProcessNextEvent (this=0x7fffeb202d80, mayWait=1, result=0x7fffffff658c) at /home/adrake/src/tm/xpcom/threads/nsThread.cpp:626 #17 0x00007ffff6681268 in NS_ProcessNextEvent_P (thread=0x7fffeb202d80, mayWait=1) at nsThreadUtils.cpp:250 #18 0x00007ffff61cdeea in jsdService::EnterNestedEventLoop (this=0x7fffe375f860, callback=0x7fffd922a0a0, _rval=0x7fffffff6858) at /home/adrake/src/tm/js/jsd/jsd_xpc.cpp:3021 As part of preparing the tab to load a new page, it sets a new global object on the JSContext. This new global object is in a different compartment. - When the event finishes servicing, the nested event loop terminates. - The call to the top level original page script Execute returns. As the stack is now empty, the context compartment is loaded from the global object. - Code beyond the Execute call attempts to access a value, say: #15 0x00007ffff47ab12b in js_ReportUncaughtException (cx=0x7fffe4e0f400) at /home/sfink/src/.TM-3/js/src/jsexn.cpp:1243 - Death by compartment mismatch assertion on the attempt to stringify the exception: #8 0x00007ffff4800f64 in js::CallJSNative (cx=0x7fffe4e0f400, native=0x7ffff47a9e08 <exn_toString(JSContext*, uintN, js::Value*)>, argc=0, vp=0x7fffe84fd038) at /home/sfink/src/.TM-3/js/src/jscntxtinlines.h:683 The quickest workaround is to add wrapException after js::Execute in JS_EvaluateUCScriptForPrincipals and JS_ExecuteScript so we can never trip and die from being forced into a new compartment from a nested event loop. Attached is a patch that does exactly this. This is probably not a complete fix -- does the return value need to be wrapped as well? (This fixes the issue described for me. sfink?)

adrake is awesome! Thanks! Yes, it fixes it for me. (Nice to have a 100% reproducible crash for once.) What I understand of your explanation makes sense to me and matches what I found when digging through the problem in the debugger. I'm still too shaky on the interaction between contexts, compartments, and globals to connect the dots like you did, though. Or to determine whether this is the right fix. It seems fine for the exception parts. Wrapping the return value with a doomed compartment seems iffier. It kind of feels like the problem is in "As the stack is now empty, the context compartment is loaded from the global object." The JS stack is empty, but it's not really quite "done". There's some C++ stack that doesn't get taken into account. But I don't know what I'm talking about, so I'll shut up and let someone who does offer an opinion. mrbkap? gal?

Comment on attachment 498051 [details] [diff] [review] WIP fix for crash described in comments ># HG changeset patch ># Parent a1dc2018b3e3b4d959435c83d596ded9649a556f >diff -r a1dc2018b3e3 -r 99232cc00a8a js/src/jsapi.cpp >--- a/js/src/jsapi.cpp Wed Dec 15 13:11:30 2010 -0800 >+++ b/js/src/jsapi.cpp Thu Dec 16 00:35:18 2010 -0800 >@@ -4928,6 +4928,7 @@ > /* This should receive only scripts handed out via the JSAPI. */ > JS_ASSERT(script->u.object); > ok = Execute(cx, obj, script, NULL, 0, Valueify(rval)); >+ cx->compartment->wrapException(cx); > LAST_FRAME_CHECKS(cx, ok); > return ok; > } >@@ -4975,6 +4976,7 @@ > return JS_FALSE; > } > ok = Execute(cx, obj, script, NULL, 0, Valueify(rval)); >+ cx->compartment->wrapException(cx); > LAST_FRAME_CHECKS(cx, ok); > js_DestroyScript(cx, script); > return ok; This is not the right place to do this. Lets dig deeper. The invariant cx->compartment == cx->exception->compartment() must never be violated. Where did that happen? (note: I just fixed a related bug, watch out for dups).

I haven't actually tried a run watching specifically that, but just to recap what I *think* is happening: 1. you're on page 1 2. you navigate to page 2 while page 1 still has stuff on the stack 3. while returning from that stack, an exception is set (with cx->exception->compartment() set to page 1's compartment, I suppose) 4. when the stack is emptied, cx->compartment is switched to page 2's compartment 5. LAST_FRAME_CHECKS observes the compartment mismatch Only it doesn't normally happen; I haven't been able to reproduce without following the exact STR in this bug. I'll try it again, taking note of cx->exception->compartment(). (I didn't realize that's where exceptions hang off.)

Ok, I think resetCompartment() doesn't wrap exception then. I just fixed this bug. The patch is up for review. https://bugzilla.mozilla.org/show_bug.cgi?id=621845 Want to try that patch and if it fixes this bug, please dup it? (and thanks for looking into this!)

I'll have to try it tomorrow. I applied the patch and recompiled just js/src/, and I'm getting an immediate crash. But I noticed that patch touches more stuff; I just don't have time right now to do a full rebuild. I'm attaching the stack of the crash in the remote chance that it's helpful.

The full rebuild fixed that crash I posted, so ignore it. The patch moves the problem. Now it gets an assertion failure in jsd_GetException() instead, called from a Firebug-installed exception observer. *** Compartment mismatch 0x7fffe938f000 vs. 0x7fffe95bc000 Stack is attached. 0x7fffe938f000 is page 2's compartment. 0x7fffe95bc000 is the compartment on the exception. (0x7fffdd811000 is JSD's dumbContext compartment, but it doesn't show up.) I assume 0x7fffe95bc000 is page 1's compartment?

Steve, that sounds much better. Sounds like you have to enter that compartment there and possible wrap the value as you leave the compartment.

I'm not so sure of that. I don't see anywhere in the JSD stuff where I could wrap it usefully. I think it's just reporting a preexisting compartment mismatch between the context and its exception. Specifically, what appears to be happening is that we do a nsXPCWrappedJSClass::CallMethod. Upon entry, there's a pending exception in the context (this is invoked from jsds_ErrorHookProc). During the execution of the method, cx->compartment gets changed. That's enough to make it fall down go boom, because CallMethod has an AutoScriptEvaluate RAII that saves and restores the exception state. But the exception state being restored is from the old context. If I hack JS_RestoreExceptionState to wrap with the new compartment, the crash goes away. But that feels like it may be a pretty big hammer. Alternatively, I could make jsds_ErrorHookProc save and restore the exception, rewrapping if needed. I'm not sure if I would need to do it for every hook call, though. (Because any hook call can spin a nested event loop, which can result in a page navigation, which can result in the context's compartment changing.) Yeah, I tried that, and just died a little further along. Oh, yuck -- I'd need to do it in the JSD C code. Or should I perhaps do it in AutoScriptEvaluate? I'll try that next. That's probably the least messy. Related question: in AutoCompartment::enter(), why does it abort if wrapException() returns false? (it undoes its work and returns an error if (!pushDummyFrame() || !wrapException())

AutoCompartment::enter was wrapping the exception for the destination compartment, however, since an exception was already pending, it fails to enter, which means AutoCompartment::leave() doesn't get called, which means the exception is left dangling in the wrong compartment. Without this fix, I am able to repro the assert as described in comment 18; with the patch it works.

Steve, does this fix the asserts you were seeing as well?

Comment on attachment 501876 [details] [diff] [review] undo wrap on failure This needs a comment as well, and a (void) to explicitly state with a bold warning that we ignore a return value here.

That's it, this wrapException is a confusing interface (e.g., bug 621845 comment 13). This patch takes away its return value and, surprise, I saw some further simplifications that can be made. I also took out the wasSane check b/c, as Andreas pointed out, it can also lead to debug-only compartment mismatches.

sfink: fwiw, I had a patch to change jsd to .cpp I think it got lost in one of my tree shuffles, but with my module owner hat on I'm willing to endorse bug which does this.

timeless, do you remember why we didn't switch jsd to C++ earlier? was there a technical reason?

(In reply to comment #29) > Created attachment 501876 [details] [diff] [review] > undo wrap on failure > > AutoCompartment::enter was wrapping the exception for the destination > compartment, however, since an exception was already pending, it fails to > enter, which means AutoCompartment::leave() doesn't get called, which means the > exception is left dangling in the wrong compartment. > > Without this fix, I am able to repro the assert as described in comment 18; > with the patch it works. Sorry for the delay. Yes, it works with this patch for me too. I can't believe I was staring at the exact same chunk of code but didn't see it. One remaining question, though -- if AutoCompartment::enter fails because an exception is pending, then is that going to break JSD's ability to run hooks when exceptions are thrown?

Good question, I was wondering about the semantics I was preserving...

gal: yes, i couldn't get reviewers for anything in jsd. it's called starvation.

(In reply to comment #39) > gal: yes, i couldn't get reviewers for anything in jsd. it's called starvation. I do jsd reviews. Try me next time. (I kinda suck at feedback processing. I ignore sr? these days.) /be

Comment on attachment 497596 [details] [diff] [review] Proposed patch v0 Cleaning up ancient review requests.