Closed Bug 1018620 Opened 7 years ago Closed 7 years ago

Assertion failure: thing->zone()->isCollecting() || rt->isAtomsZone(thing->zone()), at gc/Marking.cpp:204

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla32
Tracking Status
firefox31 --- unaffected
firefox32 --- verified
firefox-esr24 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files, 2 obsolete files)

The following testcase asserts on mozilla-central revision 323156681cef (run with --fuzzing-safe --ion-eager):


String.prototype.search = evalcx('').String.prototype.search;
''.search(/()/);
var iter = Iterator({});
for ( var i = 0; i < 10000000 ; ++i )
  iter[i] = i;
Marked s-s because this is a GC-related assert.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140521111121" and the hash "d1c0446db4d3".
The "bad" changeset has the timestamp "20140521113118" and the hash "32a1e7461250".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=d1c0446db4d3&tochange=32a1e7461250
Likely regressed by:

author: Brian Hackett (at Wed May 21 11:31:02 2014 -0700)
changeset: 32a1e7461250
Bug 1010441 - Keep RegExpShared and RegExp jitcode around when preserving jitcode in a compartment, r=billm. 


Needinfo from Brian based on that.
Flags: needinfo?(bhackett1024)
Attached patch patch (obsolete) — Splinter Review
Thanks!  This actually goes back to the irregexp landing, though it is a latent issue that predated that but which wasn't able to cause problems.  If we execute a proxy for a regexp from another compartment then we'd fetch its RegExpShared directly and use that without entering the compartment for the RegExpShared.  If we compile the regexp then with irregexp the compiled code is created in the wrong compartment (with yarr the compiled code is only associated with the RegExpShared).  The attached patch fixes this by getting a RegExpShared for the current compartment when querying a RegExp proxy.
Assignee: nobody → bhackett1024
Attachment #8432496 - Flags: review?(wmccloskey)
Flags: needinfo?(bhackett1024)
Blocks: 1013586
Blocks: 1013589
Attached patch patch (obsolete) — Splinter Review
Oops, I inadvertently attached a patch with the fix deactivated.
Attachment #8432496 - Attachment is obsolete: true
Attachment #8432496 - Flags: review?(wmccloskey)
Attachment #8432590 - Flags: review?(wmccloskey)
And I then proceeded to attach the exact same incorrect patch.
Attachment #8432590 - Attachment is obsolete: true
Attachment #8432590 - Flags: review?(wmccloskey)
Attachment #8432593 - Flags: review?(wmccloskey)
Duplicate of this bug: 1019034
Comment on attachment 8432593 [details] [diff] [review]
patch for real this time

Review of attachment 8432593 [details] [diff] [review]:
-----------------------------------------------------------------

::: js/src/jsproxy.cpp
@@ +2760,5 @@
> +    // compartment the RegExpShared we just got is from, but if it happens to
> +    // be from the correct one then the lookup below will just refetch it from
> +    // the RegExpCompartment without needing to create a new RegExpShared.
> +    RegExpShared *re = proxyGuard.re();
> +    return cx->compartment()->regExps.get(cx, re->getSource(), re->getFlags(), g);

Please put all this in CrossCompartmentWrapper::regexp_toShared.
Attachment #8432593 - Flags: review?(wmccloskey) → review+
https://hg.mozilla.org/mozilla-central/rev/ae6bd0223b53
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: in-testsuite?
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
JSBugMon: This bug has been automatically verified fixed on Fx32
Group: core-security
You need to log in before you can comment on or make changes to this bug.