Closed
Bug 379693
Opened 17 years ago
Closed 16 years ago
Crash [@ js_NewGCThing ] e4x/Regress/regress-355569.js Browser
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: bc, Assigned: igor)
Details
(Keywords: crash, Whiteboard: [sg:critical?])
Crash Data
trunk only. See bug 355569 (attachment 241706 [details]) for the test case. Sensitive due to bug 355569. tmpthing 0x00000003 {next=??? flagp=??? } JSGCThing * if (tmpthing) { maxFreeThings = MAX_THREAD_LOCAL_THINGS; do { => if (!tmpthing->next) break; tmpthing = tmpthing->next; } while (--maxFreeThings != 0); > js3250.dll!js_NewGCThing(JSContext * cx=0x04637b50, unsigned int flags=5, unsigned int nbytes=16) Line 1508 + 0x3 bytes C js3250.dll!js_NewXMLNamespace(JSContext * cx=0x04637b50, JSString * prefix=0x00cb52b0, JSString * uri=0x00cb52b0, int declared=0) Line 285 + 0xd bytes C js3250.dll!Namespace(JSContext * cx=0x04637b50, JSObject * obj=0x03cf2480, unsigned int argc=0, long * argv=0x0548cd78, long * rval=0x0012ec7c) Line 764 + 0x13 bytes C js3250.dll!js_Invoke(JSContext * cx=0x04637b50, unsigned int argc=0, unsigned int flags=3) Line 1332 + 0x20 bytes C js3250.dll!js_InternalInvoke(JSContext * cx=0x04637b50, JSObject * obj=0x03cf2480, long fval=60962112, unsigned int flags=1, unsigned int argc=0, long * argv=0x00000000, long * rval=0x0012edf0) Line 1426 + 0x14 bytes C js3250.dll!js_ConstructObject(JSContext * cx=0x04637b50, JSClass * clasp=0x005b2af0, JSObject * proto=0x03a23580, JSObject * parent=0x04057a40, unsigned int argc=0, long * argv=0x00000000) Line 2741 + 0x1f bytes C js3250.dll!js_GetDefaultXMLNamespace(JSContext * cx=0x04637b50, long * vp=0x0012ee6c) Line 7795 + 0x18 bytes C js3250.dll!QName(JSContext * cx=0x04637b50, JSObject * obj=0x03cf32a0, unsigned int argc=0, long * argv=0x0548cd60, long * rval=0x0012eef8) Line 896 + 0xd bytes C
Comment 1•17 years ago
|
||
If you are not the right person to assign this to, please help us find someone that is.
Assignee: general → crowder
Comment 3•17 years ago
|
||
Igor, do you know whether tmpthing is guaranteed to be near-null, making this a safe crash?
Severity: major → critical
Whiteboard: [sg:nse null deref?] security-sensitive due to bug 355569 testcase
Assignee | ||
Comment 4•17 years ago
|
||
(In reply to comment #3) > Igor, do you know whether tmpthing is guaranteed to be near-null, making this a > safe crash? > That tmp value means the heap is in rather inconsistent state to put it mildly. Moreover, with Linux GDB on the test case can not even recover the stack and mixes in unrelated functions there. Thus I think this is not a safe crash.
Updated•17 years ago
|
Whiteboard: [sg:nse null deref?] security-sensitive due to bug 355569 testcase → [sg:critical?]
Comment 6•17 years ago
|
||
Does this still happen?
Reporter | ||
Comment 7•17 years ago
|
||
(In reply to comment #6) > Does this still happen? > yep, in yesterday's debug browser build i crash at #6 0x001dc326 in js_NewGCThing (cx=0xa9252e0, flags=4, nbytes=16) at /work/mozilla/builds/1.9.0/mozilla/js/src/jsgc.c:1403 with similar following frames. The shell fails to run the test for some reason with an undefined SUMMARY in shell.js
Updated•17 years ago
|
Priority: -- → P2
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Comment 8•16 years ago
|
||
Igor, news on this?
Reporter | ||
Comment 9•16 years ago
|
||
This testcase stopped failing sometime between 2007-12-30 and 2007-12-31. It looks like bug 409433 is the fix. Igor, do you agree?
Comment 10•16 years ago
|
||
Taking this off the blocker list for now. Please mark fixed or dupe. If still an issue, renom.
Flags: tracking1.9+
Priority: P2 → --
Reporter | ||
Comment 11•16 years ago
|
||
-> fixed by bug 409433
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Reporter | ||
Updated•16 years ago
|
Flags: in-testsuite+
Flags: in-litmus-
Updated•13 years ago
|
Crash Signature: [@ js_NewGCThing ]
Updated•9 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•