Closed Bug 750449 Opened 12 years ago Closed 12 years ago

[ESR] "Assertion failure: !comp->rt->gcRunning," using jsdbg2 features

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Version:
10 Branch
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 684575
Tracking Flags:
Tracking Status
firefox13 --- affected
firefox14 --- fixed
firefox-esr10 --- wontfix

People

(Reporter: gkw, Unassigned)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [advisory-tracking-])

Attachments

(1 file)

stack
6.92 KB, text/plain
Details
Attached file stack 
Debugger(evalcx(''));
gc(<x/>)

asserts js debug shell on mozilla-esr10 changeset 7d395fbcb557 without any CLI arguments at Assertion failure: !comp->rt->gcRunning,

s-s because gc is involved, just-in-case this is security-sensitive.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   76348:de4425a74643
user:        Igor Bukanov
date:        Tue Aug 09 10:51:59 2011 +0200
summary:     bug 674251 - making JSScript a GC-thing. r=jorendorff,bhackett1024

but fixed on m-c by:

The first good revision is:
changeset:   87140:2a8ceeb27f7c
user:        Bill McCloskey
date:        Fri Feb 17 14:35:20 2012 -0800
summary:     Bug 641025 - Incremental GC (r=igor,smaug,roc,cdleary,gregor)
status-firefox-esr10: --- → affected
status-firefox13: --- → fixed
Version: Trunk → 10 Branch
None of those functions exist in client release builds, but evalcx and gc can be approximated. What about Debugger? is that crucial to the brokenness or just one of potentially many things that could create the conditions for this bug?

In other words, is this really an sg:critical client bug or just an interesting shell issue?
There are many bugs with Debugger on ESR, most of those are related to the jsdbg2 API and not relevant for content.
If the fix is "land incremental GC" I can't see that ever happening. If the problem is strictly in jsdbg2 I'd feel better about wontfixing this.
Depends on: IncrementalGC
Also, if the problem is only reachable through the debugger APIs then it's more of a sec-moderate than sec-critical.
tracking-firefox-esr10: --- → ?
This is a duplicate of bug 684575. Note that bug 684575 comment 6 says incremental GC probably fixes this; but that bug is not closed yet.
Keywords: sec-criticalsec-moderate
Whiteboard: [sg:critical] js-triage-needed → [sg:moderate][sg:dupe 684575]
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox-esr10: affectedwontfix
tracking-firefox-esr10: ? → ---
Resolution: --- → DUPLICATE
Summary: [ESR] "Assertion failure: !comp->rt->gcRunning," → [ESR] "Assertion failure: !comp->rt->gcRunning," using jsdbg2 features
Whiteboard: [sg:moderate][sg:dupe 684575] → [sg:moderate][sg:dupe 684575][advisory-tracking-]
Group: core-security
Clearing security flags since we usually don't treat jsdbg2 issues as security bugs.
Keywords: sec-moderate
Whiteboard: [sg:moderate][sg:dupe 684575][advisory-tracking-] → [advisory-tracking-]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: