Closed Bug 1723839 Opened 4 years ago Closed 4 years ago

Assertion failure: !js::gc::EdgeNeedsSweepUnbarrieredSlow(&tmp), at dist/include/js/Value.h:926

Tracking

()

Status:

RESOLVED DUPLICATE of bug 1723841

People

(Reporter: decoder, Unassigned)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Attachments

(2 files)

Detailed Crash Information 4 years ago Christian Holler (:decoder) 2.25 KB, text/plain		Details
Testcase 4 years ago Christian Holler (:decoder) 50 bytes, text/plain		Details

Christian Holler (:decoder)

Reporter

Description

•

4 years ago

The following testcase crashes on mozilla-central revision 20210803-524aef2e3307 (--enable-debug build, run with --fuzzing-safe --ion-offthread-compile=off):

gczeal(4);
gczeal(21);
evaluate(` 
  RegExp.$1
`);

Backtrace:

received signal SIGSEGV, Segmentation fault.
0x0000555556d003dd in JS_WrapValue(JSContext*, JS::MutableHandle<JS::Value>) ()
#0  0x0000555556d003dd in JS_WrapValue(JSContext*, JS::MutableHandle<JS::Value>) ()
#1  0x0000555556a983d9 in Evaluate(JSContext*, unsigned int, JS::Value*) ()
#2  0x0000555556c0c301 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) ()
[...]
#14 0x0000555556a6e296 in main ()
rax	0x555555853e6d	93824995376749
rbx	0x7ffff6019000	140737320685568
rcx	0x555558120a70	93825038158448
rdx	0x0	0
rsi	0x7ffff7105770	140737338431344
rdi	0x7ffff7104540	140737338426688
rbp	0x7fffffffbb90	140737488337808
rsp	0x7fffffffbb70	140737488337776
r8	0x7ffff7105770	140737338431344
r9	0x7ffff7f99840	140737353717824
r10	0x0	0
r11	0x0	0
r12	0x7fffffffbe10	140737488338448
r13	0x0	0
r14	0x7ffff4a5e098	140737297899672
r15	0x0	0
rip	0x555556d003dd <JS_WrapValue(JSContext*, JS::MutableHandle<JS::Value>)+349>
=> 0x555556d003dd <_Z12JS_WrapValueP9JSContextN2JS13MutableHandleINS1_5ValueEEE+349>:	movl   $0x39e,0x0
   0x555556d003e8 <_Z12JS_WrapValueP9JSContextN2JS13MutableHandleINS1_5ValueEEE+360>:	callq  0x555556b0473a <abort>

Pretty frequent, marking as fuzzblocker and s-s because it is a GC assert.

Christian Holler (:decoder)

Reporter

Comment 1

•

4 years ago

Attached file Detailed Crash Information — Details

Christian Holler (:decoder)

Reporter

Comment 2

•

4 years ago

Attached file Testcase — Details

Jon Coppeard (:jonco)

Updated

•

4 years ago

Status: NEW → RESOLVED

Closed: 4 years ago

Resolution: --- → DUPLICATE

Ryan VanderMeulen [:RyanVM]

Updated

•

4 years ago

Group: javascript-core-security

status-firefox92: affected → ---

Bugmon [:jkratzer for issues]

Comment 4

•

4 years ago

Bugmon Analysis
No valid actions for resolution (DUPLICATE)
Removing bugmon keyword as no further action possible. Please review the bug and re-add the keyword for further analysis.

Keywords: bugmon

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Assertion failure: !js::gc::EdgeNeedsSweepUnbarrieredSlow(&tmp), at dist/include/js/Value.h:926

Categories

(Core :: JavaScript: GC, defect)

Tracking

()

People

(Reporter: decoder, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [bugmon:update,bisect][fuzzblocker])

Crash Data

Security

(public)

User Story

Attachments

(2 files)

Description

Comment 1

Comment 2

Updated

Updated

Comment 4

Attachment

General

Description

File Name

Content Type