Closed Bug 469621 Opened 16 years ago Closed 16 years ago

"Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp"

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: gkw, Assigned: mrbkap)

Details

(4 keywords, Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Attachments

(2 files)

Fix
750 bytes, patch
crowderbt
: review+
Details | Diff | Splinter Review
js1_5/GC/regress-469621.js
2.46 KB, text/plain
Details 
gczeal(2); eval('(function)', {})

asserts dbg at Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp and different variants either crash debug js shell near null or at possibly exploitable locations.

Possible regression of bug 446026?
Flags: blocking1.9.1?
Whiteboard: [sg:critical?]
Thanks Jesse for helping to reduce this testcase.

TM is not needed to be enabled for this bug to occur.
Attached patch FixSplinter Review 
Assignee: general → mrbkap
Status: NEW → ASSIGNED

        Attachment #353132 -
        Flags: review?(crowder)

    
  

        Attachment #353132 -
        Flags: review?(crowder) → review+

    
    

    
  
Comment on attachment 353132 [details] [diff] [review]
Fix

ugh, thanks

    
    

    
  
http://hg.mozilla.org/tracemonkey/rev/5f6d7c789505
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey

    
  
Flags: blocking1.9.1? → blocking1.9.1+

    
    

    
  
merged in mc
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Flags: in-litmus-

    
    

    
  
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1verified1.9.1

    
    

    
  
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Group: core-security

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: