Created attachment 601259 [details] Test case for shell (see README file inside). The attached test asserts on mozilla-central revision 2dc40eb83023 (see README for running instructions). The test does not crash when stepping through the assert, but trips other dangerous assertions: Program received signal SIGABRT, Aborted. Assertion failure: mutationCount == p.mutationCount, at ./dist/include/js/HashTable.h:688 Program received signal SIGABRT, Aborted. Assertion failure: !p.found(), at ./dist/include/js/HashTable.h:690 I assume it's some form of memory corruption (test is also fragile). S-s for that.
Mmm fuzzing + strong assertions. I thought I had verified that RegExpShared::compile didn't do any GC-thing allocation but I must have been looking at RegExpCode::compile b/c RegExpShare::compile clearly allocates an atom.
There is a pretty simple reproducible test case: gczeal(2,1); /a/y.exec('a') The '1' arg tells GC to start GC'ing on every allocation immediately (instead of waiting for a while). Perhaps the fuzzers could be souped up to use this?
Created attachment 601412 [details] [diff] [review] patch Remove those filthy lies.
Comment on attachment 601412 [details] [diff] [review] patch Yeah, this just looks better all around.
jsfunfuzz should generate gczeal(2, 1) fairly often. (How is that different from gczeal(2))?
I assume GC things can be exploited (e.g. the Pwn2Own bug). Since this is a regression from bug 724748 we don't need it anywhere other than Fx13
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug731181.js.