Closed Bug 379693 Opened 17 years ago Closed 16 years ago

Crash [@ js_NewGCThing ] e4x/Regress/regress-355569.js Browser

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: bc, Assigned: igor)

Details

(Keywords: crash, Whiteboard: [sg:critical?])

Crash Data

trunk only. See bug 355569 (attachment 241706 [details]) for the test case. Sensitive due to bug 355569.

tmpthing	0x00000003 {next=??? flagp=??? }	JSGCThing *

            if (tmpthing) {
                maxFreeThings = MAX_THREAD_LOCAL_THINGS;
                do {
=>                  if (!tmpthing->next)
                        break;
                    tmpthing = tmpthing->next;
                } while (--maxFreeThings != 0);


>	js3250.dll!js_NewGCThing(JSContext * cx=0x04637b50, unsigned int flags=5, unsigned int nbytes=16)  Line 1508 + 0x3 bytes	C
 	js3250.dll!js_NewXMLNamespace(JSContext * cx=0x04637b50, JSString * prefix=0x00cb52b0, JSString * uri=0x00cb52b0, int declared=0)  Line 285 + 0xd bytes	C
 	js3250.dll!Namespace(JSContext * cx=0x04637b50, JSObject * obj=0x03cf2480, unsigned int argc=0, long * argv=0x0548cd78, long * rval=0x0012ec7c)  Line 764 + 0x13 bytes	C
 	js3250.dll!js_Invoke(JSContext * cx=0x04637b50, unsigned int argc=0, unsigned int flags=3)  Line 1332 + 0x20 bytes	C
 	js3250.dll!js_InternalInvoke(JSContext * cx=0x04637b50, JSObject * obj=0x03cf2480, long fval=60962112, unsigned int flags=1, unsigned int argc=0, long * argv=0x00000000, long * rval=0x0012edf0)  Line 1426 + 0x14 bytes	C
 	js3250.dll!js_ConstructObject(JSContext * cx=0x04637b50, JSClass * clasp=0x005b2af0, JSObject * proto=0x03a23580, JSObject * parent=0x04057a40, unsigned int argc=0, long * argv=0x00000000)  Line 2741 + 0x1f bytes	C
 	js3250.dll!js_GetDefaultXMLNamespace(JSContext * cx=0x04637b50, long * vp=0x0012ee6c)  Line 7795 + 0x18 bytes	C
 	js3250.dll!QName(JSContext * cx=0x04637b50, JSObject * obj=0x03cf32a0, unsigned int argc=0, long * argv=0x0548cd60, long * rval=0x0012eef8)  Line 896 + 0xd bytes	C
If you are not the right person to assign this to, please help us find someone that is.
Assignee: general → crowder
Hot potato!
Assignee: crowder → igor
Igor, do you know whether tmpthing is guaranteed to be near-null, making this a safe crash?
Severity: major → critical
Whiteboard: [sg:nse null deref?] security-sensitive due to bug 355569 testcase
(In reply to comment #3)
> Igor, do you know whether tmpthing is guaranteed to be near-null, making this a
> safe crash?
> 

That tmp value means the heap is in rather inconsistent state to put it mildly. Moreover, with Linux GDB on the test case can not even recover the stack and mixes in unrelated functions there. Thus I think this is not a safe crash.
Whiteboard: [sg:nse null deref?] security-sensitive due to bug 355569 testcase → [sg:critical?]
try for 1.9?
Flags: blocking1.9?
Does this still happen?
(In reply to comment #6)
> Does this still happen?
> 

yep, in yesterday's debug browser build i crash at

#6  0x001dc326 in js_NewGCThing (cx=0xa9252e0, flags=4, nbytes=16)
    at /work/mozilla/builds/1.9.0/mozilla/js/src/jsgc.c:1403

with similar following frames. The shell fails to run the test for some reason with an undefined SUMMARY in shell.js
Priority: -- → P2
Flags: blocking1.9? → blocking1.9+
Igor, news on this?
This testcase stopped failing sometime between 2007-12-30 and 2007-12-31. It looks like bug 409433 is the fix. Igor, do you agree?
Taking this off the blocker list for now.  Please mark fixed or dupe.  If still an issue, renom.
Flags: tracking1.9+
Priority: P2 → --
-> fixed by bug 409433
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
Flags: in-litmus-
v 1.9.0
Status: RESOLVED → VERIFIED
Crash Signature: [@ js_NewGCThing ]
Group: core-security
You need to log in before you can comment on or make changes to this bug.