If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

"Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp"

VERIFIED FIXED

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
9 years ago
4 years ago

People

(Reporter: gkw, Assigned: mrbkap)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
x86
Mac OS X
assertion, crash, testcase, verified1.9.1
Points:
---
Bug Flags:
blocking1.9.1 +
in-testsuite ?
in-litmus -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [sg:critical?] fixed-in-tracemonkey)

Attachments

(2 attachments)

(Reporter)

Description

9 years ago
gczeal(2); eval('(function)', {})

asserts dbg at Assertion failure: *flagp != GCF_FINAL, at ../jsgc.cpp and different variants either crash debug js shell near null or at possibly exploitable locations.

Possible regression of bug 446026?
Flags: blocking1.9.1?

Updated

9 years ago
Whiteboard: [sg:critical?]
(Reporter)

Comment 1

9 years ago
Thanks Jesse for helping to reduce this testcase.

TM is not needed to be enabled for this bug to occur.
(Assignee)

Comment 2

9 years ago
Created attachment 353132 [details] [diff] [review]
Fix
Assignee: general → mrbkap
Status: NEW → ASSIGNED
Attachment #353132 - Flags: review?(crowder)

Updated

9 years ago
Attachment #353132 - Flags: review?(crowder) → review+

Comment 3

9 years ago
Comment on attachment 353132 [details] [diff] [review]
Fix

ugh, thanks
(Assignee)

Comment 4

9 years ago
http://hg.mozilla.org/tracemonkey/rev/5f6d7c789505
Whiteboard: [sg:critical?] → [sg:critical?] fixed-in-tracemonkey

Updated

9 years ago
Flags: blocking1.9.1? → blocking1.9.1+

Comment 5

9 years ago
merged in mc
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED

Comment 6

9 years ago
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/ae3928490f31
Keywords: fixed1.9.1

Comment 7

9 years ago
Created attachment 358054 [details]
js1_5/GC/regress-469621.js

Updated

9 years ago
Flags: in-testsuite+
Flags: in-litmus-

Comment 8

9 years ago
v 1.9.1, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: fixed1.9.1 → verified1.9.1

Comment 9

8 years ago
when this bug is opened, the test should be checked in.
Flags: in-testsuite+ → in-testsuite?
Group: core-security
You need to log in before you can comment on or make changes to this bug.