Closed
Bug 1143706
Opened 9 years ago
Closed 9 years ago
CGC tests failing with: Assertion failure: global, at gc/Marking.cpp:1071
Categories
(Core :: JavaScript: GC, defect)
Core
JavaScript: GC
Tracking
()
RESOLVED
FIXED
mozilla39
| Tracking | Status | |
|---|---|---|
| firefox37 | --- | unaffected |
| firefox38 | --- | unaffected |
| firefox39 | --- | fixed |
| firefox-esr31 | --- | unaffected |
| b2g-v1.4 | --- | unaffected |
| b2g-v2.0 | --- | unaffected |
| b2g-v2.0M | --- | unaffected |
| b2g-v2.1 | --- | unaffected |
| b2g-v2.1S | --- | unaffected |
| b2g-v2.2 | --- | unaffected |
| b2g-master | --- | fixed |
People
(Reporter: jonco, Assigned: jonco)
References
Details
Attachments
(1 file)
|
850 bytes,
patch
|
terrence
:
review+
|
Details | Diff | Splinter Review |
Multiple tests failing, for example see: https://treeherder.mozilla.org/logviewer.html#?job_id=7651574&repo=mozilla-inbound
|
Assignee | |
Comment 1•9 years ago
|
||
This seems to be due to the parent-removal changes in bug 805052. ScanBaseShape() allows the global to be null, but BaseShape::markChildren() asserts it is non-null. The original code allowed both the global and the parent to be null. Allowing that in markChildren() fixes the issue.
Attachment #8578071 -
Flags: review?(terrence)
|
|
Assignee | |
Updated•9 years ago
|
|
||
Updated•9 years ago
|
Attachment #8578071 -
Flags: review?(terrence) → review+
|
||
Comment 2•9 years ago
|
||
Hrm. So the original code allowed the parent to be null because some things had null parents. However, the global of an object should never be null, right? I guess we could have a shape still alive for some reason after all objects are gone and the compartment global has gone away.... :(
|
||
Updated•9 years ago
|
status-firefox38:
--- → unaffected
status-firefox39:
--- → affected
status-firefox-esr31:
--- → unaffected
|
|
||
Comment 6•9 years ago
|
||
Should probably add some of the testcases from the dups.
|
|
Assignee | |
Comment 7•9 years ago
|
||
Added test case and pushed to inbound: https://hg.mozilla.org/integration/mozilla-inbound/rev/aede36df2ed9
|
|
Assignee | |
Comment 8•9 years ago
|
||
(In reply to Not doing reviews right now from comment #2) > However, the global of an object should never be null, right? I did some more investigation, and in this case we are in the process of creating the global but so far we have only created a base shape for its shape, which is rooted on the stack.
|
|
||
Comment 10•9 years ago
|
||
(In reply to Jon Coppeard (:jonco) from comment #8) > I did some more investigation, and in this case we are in the process of > creating the global but so far we have only created a base shape for its > shape, which is rooted on the stack. So is there no security issue here? Just a null deref?
|
||
Comment 11•9 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/aede36df2ed9
Status: NEW → RESOLVED
Closed: 9 years ago
status-b2g-v1.4:
--- → unaffected
status-b2g-v2.0:
--- → unaffected
status-b2g-v2.0M:
--- → unaffected
status-b2g-v2.1:
--- → unaffected
status-b2g-v2.1S:
--- → unaffected
status-b2g-v2.2:
--- → unaffected
status-b2g-master:
--- → fixed
status-firefox37:
--- → unaffected
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla39
|
|
Assignee | |
Comment 12•9 years ago
|
||
(In reply to Andrew McCreight [:mccr8] from comment #10) > So is there no security issue here? Just a null deref? That's right.
|
|
||
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•