Closed
Bug 511835
Opened 15 years ago
Closed 15 years ago
Crash [@ QuoteString] or [@ js_HashString] or "Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
Tracking | Status | |
---|---|---|
status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Assigned: brendan)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
1.74 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
Testcase 1 (pass in as a file, i.e. ./js testcase.js ): try { (function () { for (;;)( * ) })() } catch(e) {} (function () { with(0) { gc() } })() try { (function () { ({ x:* })() })() } catch(e) {} crashes QuoteString at 0x002ae000 in dbg without -j on TM branch and crashes QuoteString at 0x001e9bec in opt. ===== Testcase 2: gczeal(2);*.l asserts js dbg shell without -j on TM branch at Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp:2657 ===== Testcase 3: __defineGetter__("x",gc) x(false.*) crashes js dbg and opt shells without -j on TM branch at js_HashString at a weird address. Setting security-sensitive because the above testcases all seem to involve gc or gczeal. autoBisect shows the above testcases are probably related to bug 511567: The first bad revision is: changeset: 31637:3d98dade7db3 user: Andreas Gal <gal@mozilla.com> date: Wed Aug 19 19:37:59 2009 -0700 summary: Atomize unit strings at birth (511567, r=shaver).
Flags: blocking1.9.2?
Reporter | ||
Updated•15 years ago
|
Summary: Crash [@ QuoteString] or [@ js_HashString] or "Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp:2657" → Crash [@ QuoteString] or [@ js_HashString] or "Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp"
Updated•15 years ago
|
Assignee: general → gal
Comment 1•15 years ago
|
||
Don't GC unit strings since they are atoms and we don't always properly mark atoms we expect to stick around.
Updated•15 years ago
|
Attachment #395955 -
Flags: review?(jorendorff)
Comment 2•15 years ago
|
||
We broke this very recently. I will open up the bug and we will fix this in m-c asap. This isn't on any branch.
Group: core-security
Assignee | ||
Comment 3•15 years ago
|
||
(In reply to comment #1) > Created an attachment (id=395955) [details] > patch > > Don't GC unit strings since they are atoms Atoms are marked. What's stopping the unit strings from being marked too? > we don't always properly mark atoms we expect to stick around. What's this mean? /be
Comment 4•15 years ago
|
||
Unit strings are not in the atom table. I still don't understand why this hazard occurs. Whoever holds the atom should have had it traced.
Updated•15 years ago
|
Attachment #395955 -
Flags: review?(jorendorff) → review?(brendan)
Assignee | ||
Comment 5•15 years ago
|
||
GC_KEEP_ATOMS relies on the atom table holding refs to mark. Taking unit strings out of the table means they won't be marked so will be collected. I thought this was a latent bug in js_GetAnyName (jsxml.cpp) but it's really pervasive: last ditch GC must not collect atoms. /be
Assignee | ||
Comment 6•15 years ago
|
||
Assignee: gal → brendan
Attachment #395955 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #395997 -
Flags: review?(gal)
Attachment #395955 -
Flags: review?(brendan)
Updated•15 years ago
|
Attachment #395997 -
Flags: review?(gal) → review+
Assignee | ||
Updated•15 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9.2
Assignee | ||
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/6af141306c8e /be
Whiteboard: fixed-in-tracemonkey
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
Assignee | ||
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6af141306c8e /be
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Comment 9•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/7bc822155dcf
status1.9.2:
--- → beta1-fixed
Updated•13 years ago
|
Crash Signature: [@ QuoteString]
[@ js_HashString]
You need to log in
before you can comment on or make changes to this bug.
Description
•