Closed Bug 514999 Opened 16 years ago Closed 16 years ago

TM: "Assertion failure: thing, at ../jsgc.cpp"

Categories

(Core :: JavaScript Engine, defect, P1)

x86
macOS
defect

Tracking

()

VERIFIED FIXED
Tracking Status
status1.9.2 --- beta1-fixed
blocking1.9.1 --- .6+
status1.9.1 --- .6-fixed
fennec 1.0+ ---

People

(Reporter: gkw, Assigned: gal)

References

Details

(5 keywords, Whiteboard: fixed-in-tracemonkey [sg:critical])

Attachments

(2 files, 1 obsolete file)

(function () { (eval("\ (function () {\ for (var y = 0; y < 16; ++y) {\ if (y % 3 == 2) {\ gczeal(1);\ } else {\ print(0 / 0);\ }\ }\ });\ "))() })(); asserts js debug shell with -j at Assertion failure: thing, at ../jsgc.cpp:2610 Brendan says (and I confirmed) that this is most probably related to bug 513981. Security-sensitive since bug 513981 is locked too.
Flags: blocking1.9.2?
TM branch tip too.
Awesome fuzzer work Gary. This is really bad news. Its very likely 513981 as you suspected.
It doesn't crash if I use TMFLAGS=full. This is going to be fun.
(In reply to comment #2) > Awesome fuzzer work Gary. This is really bad news. Its very likely 513981 as > you suspected. As *I* suspect :-P. See bug 514819 comment 28. /be
(In reply to comment #0) > Brendan says (and I confirmed) that this is most probably related to bug > 513981. Security-sensitive since bug 513981 is locked too. (In reply to comment #4) > (In reply to comment #2) > > Awesome fuzzer work Gary. This is really bad news. Its very likely 513981 as > > you suspected. > > As *I* suspect :-P. See bug 514819 comment 28. > > /be Yeah, I (or autoBisect) only get partial credit, full credit goes out to Brendan. ;-)
Attached patch patch (obsolete) — Splinter Review
Assignee: general → gal
Attachment #399034 - Flags: review?(mrbkap)
I concur with blocking and this is also needed for the 3.5 branch.
tracking-fennec: --- → ?
Attachment #399034 - Attachment is patch: true
Attachment #399034 - Attachment mime type: application/octet-stream → text/plain
Attachment #399034 - Flags: approval1.9.1.4?
sayrer, this and the other patch should go on trunk to make asap (assuming I get review for this and tryserver doesn't hate me)
bake, not make
blocking1.9.1: --- → ?
Flags: blocking1.9.2? → blocking1.9.2+
Attachment #399034 - Flags: review?(mrbkap) → review+
I am getting a trace-test failure with the patch. Investigating.
This is not a security issue per se tho right? Trying to figure out sg: rating.
I'd rate this as sg:critical. At the very least, if this particular bug is checked in as-is, it leaves a sg:critical bug in its wake.
Attached patch patchSplinter Review
We can re-enter the interpreter while an outer use of nativeVp is still active, so we have to move nativeVp from cx to InterpState (debugged by Blake).
Attachment #399034 - Attachment is obsolete: true
Attachment #399034 - Flags: approval1.9.1.4?
Attachment #399641 - Flags: review?(mrbkap)
Attachment #399641 - Flags: review?(mrbkap) → review+
Whiteboard: fixed-in-tracemonkey
Attachment #399641 - Flags: approval1.9.1.4?
tracking-fennec: ? → 1.0+
Busted trace tests, gczeal is not defined in opt build. Fixing.
http://hg.mozilla.org/tracemonkey/rev/dad8ab8cb1dd should have fixed it, back in a bit to confirm.
Thanks graydon.
We'll switch this to blocking the next specific 1.9.1.x after it lands on trunk and 1.9.2 successfully.
blocking1.9.1: ? → needed
Whiteboard: fixed-in-tracemonkey → fixed-in-tracemonkey [sg:critical]
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
Attachment #399641 - Flags: approval1.9.1.4? → approval1.9.1.5?
Priority: -- → P1
blocking1.9.1: needed → .5+
js/src/trace-test/tests/basic/testNativeArgsRooting.js
Flags: in-testsuite+
v 1.9.3, 1.9.2
Status: RESOLVED → VERIFIED
Keywords: verified1.9.2
Flags: wanted1.9.0.x-
Comment on attachment 399641 [details] [diff] [review] patch Approved for 1.9.1.5, a=dveditz for release-drivers
Attachment #399641 - Flags: approval1.9.1.5? → approval1.9.1.5+
andreas, this doesn't apply to 1.9.1, can you refresh it?
Looking.
I am going to have to drop parts of the patch that fix the problem for getters/setters (since thats not on 191). If we ever take the getters/setters patch on top of this patch, we will lose those changes, create a gc hazard, and shoot ourselves in the foot. Fair warning.
Actually 1.9.1 looks quite a bit different than what we tested with. I am not sure I am comfortable dropping this into a release based on my manual rebasing only.
Ok no wonder this doesn't work. 513981 is missing in between.
No longer blocks: 513981
Depends on: 513981
Ok on top of 513981 this looks manageable. Warning about getter/setter patch still applies. Patch in a sec.
Attached patch patch for 1.9.1Splinter Review
Attachment #410351 - Flags: review?(mrbkap)
Attachment #410351 - Flags: review?(mrbkap) → review+
Blake, could you land this for me?
Bob, can you verify this on the 1.9.1 nightly?
v 1.9.1, testcase in comment 0 does not assert on 1.9.1 mac debug shell.
Keywords: verified1.9.1
Group: core-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: