TM: "Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp"

RESOLVED FIXED

Status

()

P1
critical
RESOLVED FIXED
9 years ago
6 years ago

People

(Reporter: gkw, Assigned: gal)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
x86
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
blocking1.9.2 +
in-testsuite +

Firefox Tracking Flags

(blocking2.0 alpha1+, status1.9.2 beta3-fixed, status1.9.1 ?)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment, 1 obsolete attachment)

4.00 KB, patch
jorendorff
: review+
Details | Diff | Splinter Review
(Reporter)

Description

9 years ago
for each(let c in [1.3]) {
    for (var x = 0; x < 4; ++x) {
        gczeal(2);
    }
}

asserts js debug shell on TM tip with -j at Assertion failure: tm->reservedDoublePoolPtr > tm->reservedDoublePool, at ../jstracer.cpp:2050

Setting security-sensitive because it involves gczeal. autoBisect shows it is probably related to bug 463238:

The first bad revision is:
changeset:   26344:1c6be1c210b9
user:        Andreas Gal
date:        Fri Mar 20 18:52:11 2009 -0700
summary:     Support calling arbitrary JSFastNatives from trace (463238, r=brendan).
Flags: blocking1.9.2?
(Reporter)

Updated

9 years ago
blocking2.0: --- → ?
status1.9.1: --- → ?
(Assignee)

Updated

9 years ago
Assignee: general → gal
Blocking 1.9.2+, P1, per Gal.
Assignee: gal → general
Flags: blocking1.9.2? → blocking1.9.2+
Priority: -- → P1
(Assignee)

Updated

9 years ago
Assignee: general → gal
(Assignee)

Comment 2

9 years ago
Created attachment 401560 [details] [diff] [review]
patch
(Reporter)

Comment 3

9 years ago
gal - set-a-reviewer-ping?

Updated

9 years ago
Attachment #401560 - Flags: review?(jorendorff)

Comment 4

9 years ago
jorendorff, this needs a review
Comment on attachment 401560 [details] [diff] [review]
patch

OK, so -- I can see why this causes the test not to crash.

But fundamentally all gcZeal does is cause GC to happen for sure *at times when it could happen anyway*.

It's like the bug is, buying milk always gets us arrested if there's a cop in the minimart. And this patch says, "ok, so if there's a cop, we'll walk away."

We no longer have any deep aborts in jsgc.cpp. This indicates to me that we don't think there's anything wrong with buying milk. So I want to know why we're getting arrested.
Attachment #401560 - Flags: review?(jorendorff) → review-
(Assignee)

Comment 6

9 years ago
I didn't set a review flag because I am not confident the patch does the right thing. I will confer with jorendorff. Update in a bit.
(Assignee)

Comment 7

9 years ago
Created attachment 404932 [details] [diff] [review]
patch
Attachment #401560 - Attachment is obsolete: true
(Assignee)

Updated

9 years ago
Attachment #404932 - Flags: review?(jorendorff)
(Assignee)

Comment 8

9 years ago
gcthingss -> gcthings, fixed
Comment on attachment 404932 [details] [diff] [review]
patch

>+    }
>+    /* Keep reserved objects. */

Blank line between these two.

Otherwise it looks good. r=me.
Attachment #404932 - Flags: review?(jorendorff) → review+
(Assignee)

Comment 10

9 years ago
This is probably very hard to exploit.

http://hg.mozilla.org/tracemonkey/rev/112a84b7e687
Whiteboard: fixed-in-tracemonkey

Comment 11

9 years ago
http://hg.mozilla.org/mozilla-central/rev/112a84b7e687
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
(Reporter)

Comment 12

9 years ago
There was a followup on tracemonkey apparently..

http://hg.mozilla.org/tracemonkey/rev/39c7a00d0989

Updated

9 years ago
Depends on: 521218

Updated

9 years ago
Duplicate of this bug: 521218
Marking the 14 bugs that are both:
 * nominated for blocking1.9.3:?
 * fixed on the 1.9.2 branch (according to status1.9.2)
as blocking1.9.3:alpha1, so that we don't have to go through the nominations individually.  They're all fixed already (so there's no work to do), and being fixed on 1.9.2 means they probably do block 1.9.3.
blocking2.0: ? → alpha1
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.