Closed
Bug 754150
Opened 11 years ago
Closed 11 years ago
Assertion failure: IsMarkedOrAllocated(static_cast<Cell *>(thing)), at js/src/jsgc.cpp:4399
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
Tracking | Status | |
---|---|---|
firefox13 | --- | unaffected |
firefox14 | + | affected |
firefox15 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: billm)
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [sg:critical][advisory-tracking+])
Attachments
(1 file)
2.98 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 4c6d01c92dcc (options -m -n): function printStatus (msg) {} function toPrinted(value) { value = value.replace(/\\n/g, 'NL') } function reportCompare (expected, actual, description) { printStatus ("Expected value '" + toPrinted(expected) + "' matched actual value '" + toPrinted(actual) + "'"); } var UBound = 0; var statusitems = []; var actual = ''; var actualvalues = []; var expect= ''; var expectedvalues = []; testThis('x()'); testThis('"abc"()'); testThis('x()'); testThis('Date(12345)()'); testThis('x()'); testThis('1()'); testThis('x()'); testThis('void(0)()'); testThis('x()'); testThis('[1,2,3,4,5](1)'); gczeal(4); testThis('x(1)'); checkThis('(function (y) {return y+1;})("abc")'); checkThis('f("abc")'); function testThis(sInvalidSyntax) { expectedvalues[UBound] = expect; actualvalues[UBound] = actual; UBound++; } function checkThis(sValidSyntax) { for (var i=0; i<UBound; i++) reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]); } var actualvalues = []; for (var i=0; i<UBound; i++) reportCompare(expectedvalues[i], actualvalues[i], statusitems[i]); Might be another verifier (debug-only) bug, but I'm marking s-s until this is confirmed.
Assignee | ||
Updated•11 years ago
|
Assignee: general → wmccloskey
Assignee | ||
Comment 1•11 years ago
|
||
We need a write barrier on the objects held by a JITChunk, since the JITChunk can be destroyed during an incremental slice.
Attachment #623280 -
Flags: review?(bhackett1024)
Updated•11 years ago
|
Attachment #623280 -
Flags: review?(bhackett1024) → review+
Reporter | ||
Comment 2•11 years ago
|
||
Can we land this now? The fuzzer is being spammed with these asserts and I don't even know for which of them this bug accounts. Also, given the description in comment 1, I assume this can lead to use-after-free of JITChunk? Or is this a save assert?
Whiteboard: [fuzzblocker]
Assignee | ||
Comment 3•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/f36749114f76 Yes, during an incremental GC this can lead to use-after-free.
Target Milestone: --- → mozilla15
Reporter | ||
Updated•11 years ago
|
Keywords: sec-critical
Whiteboard: [fuzzblocker] → [sg:critical]
Comment 4•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/f36749114f76
Comment 5•11 years ago
|
||
We should get this fix landed on Aurora unless we plan to disable incremental GC on that branch.
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → unaffected
status-firefox14:
--- → affected
tracking-firefox14:
--- → +
Comment 6•11 years ago
|
||
Incremental GC is disabled on Aurora (at least, prefed off).
Reporter | ||
Comment 7•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Reporter | ||
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
Updated•11 years ago
|
Whiteboard: [sg:critical] → [sg:critical][advisory-tracking+]
Updated•11 years ago
|
Group: core-security
Reporter | ||
Comment 8•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug754150.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•