Closed Bug 736807 Opened 8 years ago Closed 8 years ago

"Assertion failure: addr % Cell::CellSize == 0" with exception crossing compartment boundary

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
macOS
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla14
Tracking Status
firefox13 --- unaffected
firefox14 --- fixed
firefox-esr10 --- unaffected

People

(Reporter: jruderman, Assigned: luke)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [advisory-tracking-])

Attachments

(2 files)

Attached file stack trace
function f()
{
    try {
        evalcx("x", newGlobal('new-compartment'))
    } catch(e) {
        assertEq("" + e, "ReferenceError: x is not defined");
    }
}
gczeal(2,1,true);
f(function(){}, {}, {});


Assertion failure: addr % Cell::CellSize == 0, at js/src/jsgc.h:861


The first bad revision is:
changeset:   1d61262c243c
user:        Bobby Holley
date:        Thu Mar 15 15:19:52 2012 -0700
summary:     Bug 735544 - Allow exception stacks to cross compartment boundaries. r=luke
This bug can also cause other assertion failures or crashes during GC.
Blarg, s/Vector<Values>/AutoValueVector/.  Patch in a second.
Attached patch fix and testSplinter Review
Attachment #607212 - Flags: review?(bobbyholley+bmo)
Attachment #607212 - Flags: review?(bobbyholley+bmo) → review+
https://hg.mozilla.org/mozilla-central/rev/fc8534cfca3d
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla14
and because gczeal is only defined in debug builds:
https://hg.mozilla.org/mozilla-central/rev/8414a5a38e56
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Is this just a leak, or a potential security problem we'd want the fix for in mozilla 13?
Whiteboard: [advisory-tracking+]
I must have misread the regressing bug. If this is really a regression from bug 735544 then Firefox 13 should not be affected.
Assignee: general → luke
Keywords: regression
Whiteboard: [advisory-tracking+] → [advisory-tracking-]
Group: core-security
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/testBug736807.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.