Closed
Bug 731181
Opened 14 years ago
Closed 14 years ago
Assertion failure: cx->runtime->gcNumber == gcNumberBefore, at js/src/vm/RegExpObject.cpp:655
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla13
| Tracking | Status | |
|---|---|---|
| firefox12 | --- | unaffected |
| firefox13 | --- | fixed |
| firefox-esr10 | --- | unaffected |
| status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: luke)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical] js-triage-done [advisory-tracking+])
Attachments
(2 files)
|
2.07 KB,
application/x-compressed-tar
|
Details | |
|
1.62 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
The attached test asserts on mozilla-central revision 2dc40eb83023 (see README for running instructions).
The test does not crash when stepping through the assert, but trips other dangerous assertions:
Program received signal SIGABRT, Aborted.
Assertion failure: mutationCount == p.mutationCount, at ./dist/include/js/HashTable.h:688
Program received signal SIGABRT, Aborted.
Assertion failure: !p.found(), at ./dist/include/js/HashTable.h:690
I assume it's some form of memory corruption (test is also fragile). S-s for that.
|
Assignee | |
Comment 1•14 years ago
|
||
Mmm fuzzing + strong assertions. I thought I had verified that RegExpShared::compile didn't do any GC-thing allocation but I must have been looking at RegExpCode::compile b/c RegExpShare::compile clearly allocates an atom.
Assignee: general → luke
Whiteboard: js-triage-needed → js-triage-done
|
|
Assignee | |
Comment 2•14 years ago
|
||
There is a pretty simple reproducible test case:
gczeal(2,1);
/a/y.exec('a')
The '1' arg tells GC to start GC'ing on every allocation immediately (instead of waiting for a while). Perhaps the fuzzers could be souped up to use this?
|
|
Assignee | |
Comment 3•14 years ago
|
||
Remove those filthy lies.
Attachment #601412 -
Flags: review?(wmccloskey)
Comment on attachment 601412 [details] [diff] [review]
patch
Yeah, this just looks better all around.
Attachment #601412 -
Flags: review?(wmccloskey) → review+
|
||
Comment 5•14 years ago
|
||
jsfunfuzz should generate gczeal(2, 1) fairly often. (How is that different from gczeal(2))?
|
|
Assignee | |
Comment 6•14 years ago
|
||
Target Milestone: --- → mozilla13
|
|
||
Comment 7•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
|
|
||
Updated•14 years ago
|
status-firefox13:
--- → fixed
|
||
Comment 8•14 years ago
|
||
I assume GC things can be exploited (e.g. the Pwn2Own bug). Since this is a regression from bug 724748 we don't need it anywhere other than Fx13
Blocks: 724748
Group: core-security
status1.9.2:
--- → unaffected
status-firefox-esr10:
--- → unaffected
status-firefox12:
--- → unaffected
Keywords: regression
Whiteboard: js-triage-done → [sg:critical] js-triage-done
|
Reporter | |
Updated•14 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical] js-triage-done → [sg:critical] js-triage-done [advisory-tracking+]
|
|
Reporter | |
Comment 9•13 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug731181.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•