Closed Bug 605011 Opened 14 years ago Closed 14 years ago

"Assertion failure: JS_CHECK_STACK_SIZE(cx->stackLimit, &stackDummy),"

Tracking

()

Status:

RESOLVED FIXED

Tracking Flags:

Tracking

Status

blocking2.0

---

beta8+

People

(Reporter: gkw, Assigned: gwagner)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:nse (bogus assertion)?] fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

patch 14 years ago Gregor Wagner [:gwagner] 930 bytes, patch	igor : review+	Details \| Diff \| Splinter Review
patch 14 years ago Gregor Wagner [:gwagner] 968 bytes, patch	igor : review+	Details \| Diff \| Splinter Review

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Description

•

14 years ago

function g(x, n) {
  for (var i = 0; i < n; ++i) {
    x = {
      a: x
    };
  }
  return x;
}
d = g(0, 672);
(function() {
  gczeal(2)(uneval(this))
})()

asserts js debug shell on TM changeset 47a8311cf0bb without -m or -j at Assertion failure: JS_CHECK_STACK_SIZE(cx->stackLimit, &stackDummy),

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Comment 1

•

14 years ago

Also, locking s-s due to presence of gczeal in testcase.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   54771:fd4510c77054
user:        Gregor Wagner
date:        Tue Oct 05 10:09:50 2010 -0700
summary:     Bug 600310 - TM: don't perform GC outside of stack quota r=igor

Blocks: 600310

Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)

Reporter

Updated

•

14 years ago

Group: core-security

Robert Sayre

Updated

•

14 years ago

blocking2.0: ? → beta8+

David Anderson [:dvander] - inactive, e-mail if emergency

Comment 2

•

14 years ago

This is the same as seen in bug 600139, an edge case where the assert is guaranteed to hit. Throwing an over-recursed error can cause a GC, and while you're overrecursed, you're probably beyond the stack limit.

I don't know whether it's a security issue or not though.

Igor Bukanov

Comment 3

•

14 years ago

I think we should replace the assert from the bug 600139, with one that alows for few more kilobytes of the stack space. That is, the functions that sets the stack limit should make it slightly smaller so the GC will have an extra room after the error.

Gregor, do you have time to patch this?

Gregor Wagner [:gwagner]

Assignee

Updated

•

14 years ago

Assignee: general → anygregor

Gregor Wagner [:gwagner]

Assignee

Comment 4

•

14 years ago

Attached patch patch (obsolete) — Details — Splinter Review

This patch adds 4k to the stackLimit.
Another possibility would be to check if we are already in an over-recursion error.

Attachment #484378 - Flags: review?(igor)

Jesse Ruderman

Updated

•

14 years ago

OS: Mac OS X → Windows 7

Whiteboard: [sg:nse (bogus assertion)?]

Igor Bukanov

Updated

•

14 years ago

Attachment #484378 - Flags: review?(igor) → review+

Gregor Wagner [:gwagner]

Assignee

Comment 5

•

14 years ago

Attached patch patch — Details — Splinter Review

It seems cx->stackLimit is not always set (jsapi-tests).

Attachment #484378 - Attachment is obsolete: true

Attachment #484423 - Flags: review?(igor)

Igor Bukanov

Comment 6

•

14 years ago

Comment on attachment 484423 [details] [diff] [review]
patch

>diff -r 5bca7c8bd4c8 js/src/jsgc.cpp
>--- a/js/src/jsgc.cpp	Tue Oct 19 11:39:55 2010 -0700
>+++ b/js/src/jsgc.cpp	Tue Oct 19 12:49:16 2010 -0700
>@@ -2558,17 +2558,22 @@ js_GC(JSContext *cx, JSGCInvocationKind 
>      */
>     if (rt->state != JSRTS_UP && gckind != GC_LAST_CONTEXT)
>         return;
> 
>     RecordNativeStackTopForGC(cx);
> 
> #ifdef DEBUG
>     int stackDummy;
>-    JS_ASSERT(JS_CHECK_STACK_SIZE(cx->stackLimit, &stackDummy));
>+/* +-4k because it is possible to perform a GC during an overrecursion report. */
>+# if JS_STACK_GROWTH_DIRECTION > 0
>+    JS_ASSERT_IF(cx->stackLimit, JS_CHECK_STACK_SIZE(cx->stackLimit + 4096, &stackDummy));

For upward growing stacks cx->stackLimit is jsuword(-1) by default, the max value. r+ with that fixed.

Attachment #484423 - Flags: review?(igor) → review+

Gregor Wagner [:gwagner]

Assignee

Comment 7

•

14 years ago

http://hg.mozilla.org/tracemonkey/rev/0bb000635fbd

Whiteboard: [sg:nse (bogus assertion)?] → [sg:nse (bogus assertion)?] fixed-in-tracemonkey

Igor Bukanov

Comment 8

•

14 years ago

(In reply to comment #7)
> http://hg.mozilla.org/tracemonkey/rev/0bb000635fbd

I was not clear in the comment 5. The suggestion was to change the assert into:

JS_ASSERT_IF(cx->stackLimit != jsuword(-1), JS_CHECK_STACK_SIZE(cx->stackLimit + 4096, &stackDummy));

Gregor Wagner [:gwagner]

Assignee

Comment 9

•

14 years ago

Yeah that makes more sense. Thx!
http://hg.mozilla.org/tracemonkey/rev/0ae037c29ab0

Robert Sayre

Comment 10

•

14 years ago

http://hg.mozilla.org/mozilla-central/rev/0ae037c29ab0

Status: NEW → RESOLVED

Closed: 14 years ago

Resolution: --- → FIXED

Daniel Veditz [:dveditz]

Updated

•

14 years ago

Group: core-security

Christian Holler (:decoder)

Comment 11

•

11 years ago

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Flags: in-testsuite+

You need to log in before you can comment on or make changes to this bug.