Closed
Bug 736807
Opened 12 years ago
Closed 12 years ago
"Assertion failure: addr % Cell::CellSize == 0" with exception crossing compartment boundary
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla14
Tracking | Status | |
---|---|---|
firefox13 | --- | unaffected |
firefox14 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: jruderman, Assigned: luke)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [advisory-tracking-])
Attachments
(2 files)
7.67 KB,
text/plain
|
Details | |
1.86 KB,
patch
|
bholley
:
review+
|
Details | Diff | Splinter Review |
function f() { try { evalcx("x", newGlobal('new-compartment')) } catch(e) { assertEq("" + e, "ReferenceError: x is not defined"); } } gczeal(2,1,true); f(function(){}, {}, {}); Assertion failure: addr % Cell::CellSize == 0, at js/src/jsgc.h:861 The first bad revision is: changeset: 1d61262c243c user: Bobby Holley date: Thu Mar 15 15:19:52 2012 -0700 summary: Bug 735544 - Allow exception stacks to cross compartment boundaries. r=luke
Reporter | ||
Comment 1•12 years ago
|
||
This bug can also cause other assertion failures or crashes during GC.
Assignee | ||
Comment 2•12 years ago
|
||
Blarg, s/Vector<Values>/AutoValueVector/. Patch in a second.
Assignee | ||
Comment 3•12 years ago
|
||
Attachment #607212 -
Flags: review?(bobbyholley+bmo)
Updated•12 years ago
|
Attachment #607212 -
Flags: review?(bobbyholley+bmo) → review+
Assignee | ||
Comment 4•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/fc8534cfca3d
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
Assignee | ||
Comment 5•12 years ago
|
||
and because gczeal is only defined in debug builds: https://hg.mozilla.org/mozilla-central/rev/8414a5a38e56
Comment 6•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
Comment 7•12 years ago
|
||
Is this just a leak, or a potential security problem we'd want the fix for in mozilla 13?
Updated•12 years ago
|
status-firefox13:
--- → affected
status-firefox14:
--- → fixed
Updated•12 years ago
|
Whiteboard: [advisory-tracking+]
Comment 8•12 years ago
|
||
I must have misread the regressing bug. If this is really a regression from bug 735544 then Firefox 13 should not be affected.
Updated•12 years ago
|
Group: core-security
Comment 9•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug736807.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•