Closed
Bug 511835
Opened 15 years ago
Closed 15 years ago
Crash [@ QuoteString] or [@ js_HashString] or "Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp"
Categories
(Core :: JavaScript Engine, defect, P1)
Tracking
()
RESOLVED
FIXED
mozilla1.9.2
| Tracking | Status | |
|---|---|---|
| status1.9.2 | --- | beta1-fixed |
People
(Reporter: gkw, Assigned: brendan)
References
Details
(4 keywords, Whiteboard: fixed-in-tracemonkey)
Crash Data
Attachments
(1 file, 1 obsolete file)
|
1.74 KB,
patch
|
gal
:
review+
|
Details | Diff | Splinter Review |
Testcase 1 (pass in as a file, i.e. ./js testcase.js ):
try {
(function () {
for (;;)( * )
})()
} catch(e) {}
(function () {
with(0) {
gc()
}
})()
try {
(function () {
({
x:*
})()
})()
} catch(e) {}
crashes QuoteString at 0x002ae000 in dbg without -j on TM branch and crashes QuoteString at 0x001e9bec in opt.
=====
Testcase 2:
gczeal(2);*.l
asserts js dbg shell without -j on TM branch at Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp:2657
=====
Testcase 3:
__defineGetter__("x",gc)
x(false.*)
crashes js dbg and opt shells without -j on TM branch at js_HashString at a weird address.
Setting security-sensitive because the above testcases all seem to involve gc or gczeal.
autoBisect shows the above testcases are probably related to bug 511567:
The first bad revision is:
changeset: 31637:3d98dade7db3
user: Andreas Gal <gal@mozilla.com>
date: Wed Aug 19 19:37:59 2009 -0700
summary: Atomize unit strings at birth (511567, r=shaver).Flags: blocking1.9.2?
|
Reporter | |
Updated•15 years ago
|
Summary: Crash [@ QuoteString] or [@ js_HashString] or "Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp:2657" → Crash [@ QuoteString] or [@ js_HashString] or "Assertion failure: (*flagp & GCF_FINAL) == 0, at ../jsgc.cpp"
|
||
Updated•15 years ago
|
Assignee: general → gal
|
|
||
Comment 1•15 years ago
|
||
Don't GC unit strings since they are atoms and we don't always properly mark atoms we expect to stick around.
|
|
||
Updated•15 years ago
|
Attachment #395955 -
Flags: review?(jorendorff)
|
|
||
Comment 2•15 years ago
|
||
We broke this very recently. I will open up the bug and we will fix this in m-c asap. This isn't on any branch.
Group: core-security
|
Assignee | |
Comment 3•15 years ago
|
||
(In reply to comment #1) > Created an attachment (id=395955) [details] > patch > > Don't GC unit strings since they are atoms Atoms are marked. What's stopping the unit strings from being marked too? > we don't always properly mark atoms we expect to stick around. What's this mean? /be
|
|
||
Comment 4•15 years ago
|
||
Unit strings are not in the atom table. I still don't understand why this hazard occurs. Whoever holds the atom should have had it traced.
|
|
||
Updated•15 years ago
|
Attachment #395955 -
Flags: review?(jorendorff) → review?(brendan)
|
|
Assignee | |
Comment 5•15 years ago
|
||
GC_KEEP_ATOMS relies on the atom table holding refs to mark. Taking unit strings out of the table means they won't be marked so will be collected. I thought this was a latent bug in js_GetAnyName (jsxml.cpp) but it's really pervasive: last ditch GC must not collect atoms. /be
|
|
Assignee | |
Comment 6•15 years ago
|
||
Assignee: gal → brendan
Attachment #395955 -
Attachment is obsolete: true
Status: NEW → ASSIGNED
Attachment #395997 -
Flags: review?(gal)
Attachment #395955 -
Flags: review?(brendan)
|
|
||
Updated•15 years ago
|
Attachment #395997 -
Flags: review?(gal) → review+
|
|
Assignee | |
Updated•15 years ago
|
Priority: -- → P1
Target Milestone: --- → mozilla1.9.2
|
|
Assignee | |
Comment 7•15 years ago
|
||
http://hg.mozilla.org/tracemonkey/rev/6af141306c8e /be
Whiteboard: fixed-in-tracemonkey
|
||
Updated•15 years ago
|
Flags: blocking1.9.2? → blocking1.9.2+
|
|
Assignee | |
Comment 8•15 years ago
|
||
http://hg.mozilla.org/mozilla-central/rev/6af141306c8e /be
Status: ASSIGNED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
|
|
||
Comment 9•15 years ago
|
||
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/7bc822155dcf
status1.9.2:
--- → beta1-fixed
|
||
Updated•13 years ago
|
Crash Signature: [@ QuoteString]
[@ js_HashString]
You need to log in
before you can comment on or make changes to this bug.
Description
•