Closed
Bug 754150
Opened 11 years ago
Closed 11 years ago
Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at js/src/jsgc.cpp:4399
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
| Tracking | Status | |
|---|---|---|
| firefox13 | --- | unaffected |
| firefox14 | + | affected |
| firefox15 | --- | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [sg:critical][advisory-tracking+])
Attachments
(1 file)
|
2.98 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 4c6d01c92dcc (options -m -n):
function printStatus (msg) {}
function toPrinted(value) {
value = value.replace(/\\n/g, 'NL')
}
function reportCompare (expected, actual, description) {
printStatus ("Expected value '" + toPrinted(expected) + "' matched actual value '" + toPrinted(actual) + "'");
}
var UBound = 0;
var statusitems = [];
var actual = '';
var actualvalues = [];
var expect= '';
var expectedvalues = [];
testThis('x()');
testThis('"abc"()');
testThis('x()');
testThis('Date(12345)()');
testThis('x()');
testThis('1()');
testThis('x()');
testThis('void(0)()');
testThis('x()');
testThis('[1,2,3,4,5](1)');
gczeal(4);
testThis('x(1)');
checkThis('(function (y) {return y+1;})("abc")');
checkThis('f("abc")');
function testThis(sInvalidSyntax) {
expectedvalues[UBound] = expect;
actualvalues[UBound] = actual;
UBound++;
}
function checkThis(sValidSyntax) {
for (var i=0; i<UBound; i++)
reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]);
}
var actualvalues = [];
for (var i=0; i<UBound; i++)
reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]);
Might be another verifier (debug-only) bug, but I'm marking s-s until this is confirmed.
|
Assignee | |
Updated•11 years ago
|
Assignee: general → wmccloskey
|
|
Assignee | |
Comment 1•11 years ago
|
||
We need a write barrier on the objects held by a JITChunk, since the JITChunk can be destroyed during an incremental slice.
Attachment #623280 -
Flags: review?(bhackett1024)
|
||
Updated•11 years ago
|
Attachment #623280 -
Flags: review?(bhackett1024) → review+
|
Reporter | |
Comment 2•11 years ago
|
||
Can we land this now? The fuzzer is being spammed with these asserts and I don't even know for which of them this bug accounts. Also, given the description in comment 1, I assume this can lead to use-after-free of JITChunk? Or is this a save assert?
Whiteboard: [fuzzblocker]
|
|
Assignee | |
Comment 3•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f36749114f76 Yes, during an incremental GC this can lead to use-after-free.
Target Milestone: --- → mozilla15
|
|
Reporter | |
Updated•11 years ago
|
Keywords: sec-critical
Whiteboard: [fuzzblocker] → [sg:critical]
|
||
Comment 4•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f36749114f76
|
||
Comment 5•11 years ago
|
||
We should get this fix landed on Aurora unless we plan to disable incremental GC on that branch.
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → unaffected
status-firefox14:
--- → affected
tracking-firefox14:
--- → +
|
||
Comment 6•11 years ago
|
||
Incremental GC is disabled on Aurora (at least, prefed off).
|
|
Reporter | |
Comment 7•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
||
Updated•11 years ago
|
Whiteboard: [sg:critical] → [sg:critical][advisory-tracking+]
|
|
||
Updated•11 years ago
|
Group: core-security
|
|
Reporter | |
Comment 8•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug754150.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•