Closed Bug 1516138 Opened 10 months ago Closed 9 months ago

Assertion failure: zeal <= unsigned(ZealMode::Limit), at js/src/gc/GC.cpp:1037

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla66
Tracking Status
firefox-esr60 --- unaffected
firefox64 --- wontfix
firefox65 --- fixed
firefox66 --- fixed

People

(Reporter: gkw, Assigned: jonco)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [fuzzblocker][jsbugmon:])

Attachments

(2 files)

The following testcase crashes on mozilla-beta revision 4db38a16ee18 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion --gc-zeal=24):

quit();

Backtrace:

#0  js::gc::GCRuntime::setZeal (this=0x7f75bbc1c680, zeal=24 '\030', frequency=100) at js/src/gc/GC.cpp:1037
#1  0x000055f2eb7cae0d in js::gc::GCRuntime::parseAndSetZeal (this=0x7f75bbc1c680, str=<optimized out>) at js/src/gc/GC.cpp:1212
#2  0x000055f2eaffa76f in SetContextOptions (cx=<optimized out>, op=...) at js/src/shell/js.cpp:10460
#3  main (argc=7, argv=0x7fffc2440048, envp=<optimized out>) at js/src/shell/js.cpp:11061
/snip

For detailed crash information, see attachment.

Any value above 23 for now will cause the assertion failure on mozilla-beta. At least 25 is valid on m-c rev tip 0124a534484d for now.

Can we please not throw an assertion failure when an invalid value of gc-zeal is passed in?
I'm working around this for now.
Flags: needinfo?(jcoppeard)
Whiteboard: [jsbugmon:update] → [fuzzblocker][jsbugmon:]
autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/0f26c7b0aa7d
user:        Jon Coppeard
date:        Tue Apr 17 08:44:55 2018 +0200
summary:     Bug 1453028 - Refactor the way we parse zeal mode strings r=sfink
Blocks: 1453028
Sounds annoying but not something that'll affect regular users.
GCRuntime::setZeal() asserts that the mode parameter is in range, but we don't check it when we parse the string passed in parseAndSetZeal().

The patch adds a range check.
Assignee: nobody → jcoppeard
Flags: needinfo?(jcoppeard)
Attachment #9033784 - Flags: review?(allstars.chh)
Attachment #9033784 - Flags: review?(allstars.chh) → review+
Pushed by jcoppeard@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/c60f868017bc
Check GC zeal mode is in range r=allstars.chh
https://hg.mozilla.org/mozilla-central/rev/c60f868017bc
Status: NEW → RESOLVED
Closed: 9 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
This is debug-only code, so I'll uplift this a=npotb to make life easier for the fuzzers.
You need to log in before you can comment on or make changes to this bug.