Closed
Bug 754725
Opened 13 years ago
Closed 13 years ago
Assertion failure: (ptrBits & 0x7) == 0, at jsval.h:760 or Crash [@ compartment]
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla16
People
(Reporter: decoder, Assigned: billm)
Details
(5 keywords, Whiteboard: [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][advisory-tracking+])
Crash Data
Attachments
(1 file)
|
2.26 KB,
patch
|
bhackett1024
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following test asserts/crashes on mozilla-central revision c758cc9b60e5 (options -m -n):
try {
function fun() {
(new fun (("10"))) ('function pf' + (((true) )[ fun ]) + '() {}');
}
fun();
} catch(exc1) {}
function eval() { eval( ) ; }
function DoWhile_3()
eval();
try {
DoWhile_3( ) ;
} catch(e) { }
function f()
test();
function test() {
try {
for (var i in f());
} catch ( foopy ) { }
gc();
}
test();
Backtrace in Opt build:
==7571== Invalid read of size 8
==7571== at 0x5781C1: void js::gc::MarkInternal<JSString>(JSTracer*, JSString**) (Heap.h:969)
==7571== by 0x5799BD: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:329)
==7571== by 0x579BBE: js::gc::MarkValueRootRange(JSTracer*, unsigned long, JS::Value*, char const*) (Marking.cpp:369)
==7571== by 0x5384B1: js::StackSpace::mark(JSTracer*) (Stack.cpp:527)
==7571== by 0x4567DD: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.246 (jsgc.cpp:2325)
==7571== by 0x456D37: BeginMarkPhase(JSRuntime*) (jsgc.cpp:2975)
==7571== by 0x45A210: GCCycle(JSRuntime*, bool, long, js::JSGCInvocationKind) (jsgc.cpp:3271)
==7571== by 0x45B38F: Collect(JSRuntime*, bool, long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:3719)
==7571== by 0x56C80C: GC(JSContext*, unsigned int, JS::Value*) (TestingFunctions.cpp:52)
==7571== by 0x47E337: js::InvokeKernel(JSContext*, js::CallArgs, js::MaybeConstruct) (jscntxtinlines.h:426)
==7571== by 0x47A234: js::Interpret(JSContext*, js::StackFrame*, js::InterpMode) (jsinterp.cpp:2744)
==7571== by 0x5F9DDD: UncachedInlineCall(js::VMFrame&, js::InitialFrameFlags, void**, bool*, unsigned int) (InvokeHelpers.cpp:376)
==7571== Address 0xe3000 is not stack'd, malloc'd or (recently) free'd
Assuming s-s and sec-critical due to GC related crash. Furthermore, this crash affects mozilla-aurora and mozilla-beta as well.
|
Assignee | |
Updated•13 years ago
|
Assignee: general → wmccloskey
|
Reporter | |
Comment 1•13 years ago
|
||
Just testing some new JSBugMon functionality here.
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [jsbugmon:verify-branch:mozilla-aurora,mozilla-beta,mozilla-release]
|
|
Reporter | |
Comment 2•13 years ago
|
||
Should probably learn my own syntax...
Whiteboard: [sg:critical] js-triage-needed [jsbugmon:verify-branch:mozilla-aurora,mozilla-beta,mozilla-release] → [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release]
|
|
Reporter | |
Comment 3•13 years ago
|
||
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-aurora (reproduced on revision 56d137349efc).
JSBugMon: This bug has been automatically confirmed to be still valid on branch mozilla-beta (reproduced on revision 0540130b5f2f).
JSBugMon: The testcase found in this bug does not reproduce on branch mozilla-release (tried revision 5bcfa0da3be9).
|
|
Reporter | |
Updated•13 years ago
|
Crash Signature: [@ js::gc::MarkInternal<JSString>]
[@ compartment] → [@ js::gc::MarkInternal<JSString>]
[@ compartment]
Whiteboard: [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release] → [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore]
|
||
Updated•13 years ago
|
Crash Signature: [@ js::gc::MarkInternal<JSString>]
[@ compartment] → [@ js::gc::MarkInternal<JSString>]
[@ compartment]
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical] js-triage-needed [jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore] → [sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][js:p1:fx15]]
|
||
Comment 4•13 years ago
|
||
Moving this back a cycle--IGC takes priority.
Whiteboard: [sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][js:p1:fx15]] → [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore]
|
|
Assignee | |
Comment 5•13 years ago
|
||
In this test, we have a dead value on the VM stack. It contains garbage--in this case, the tag makes it look like a NullValue, but the low bits are nonzero so that isNull() is false. We do one GC and avoid marking the value because it's dead. However, we don't overwrite it with anything because it's not an object or a string. Later, we do a second GC and try to mark it. isGCThing() returns true because something with a NULL tag counts as a GC thing. But then when we convert it to a Cell and try to mark it, we crash.
The fix is to normalize the low bits of the value while still leaving the tag unaffected.
Attachment #632965 -
Flags: review?(bhackett1024)
|
||
Updated•13 years ago
|
Attachment #632965 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 6•13 years ago
|
||
Target Milestone: --- → mozilla16
|
||
Comment 7•13 years ago
|
||
|
||
Comment 8•13 years ago
|
||
Am I interpreting comment 3 correctly that this is a regression in Firefox 13, and therefore doesn't affect the ESR branch? Although if we don't know the cause of the regression we might still need it if it was due to a security fix taken on that branch.
qawanted: please find when this bug crept in.
tracking-firefox13:
+ → ---
|
|
Assignee | |
Comment 9•13 years ago
|
||
Comment on attachment 632965 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): Bug 723313
User impact if declined: Low likelihood of GC crashes, exploits.
Testing completed (on m-c, etc.): On m-c.
Risk to taking this patch (and alternatives if risky): Low. Semantics should be unchanged except when the bug happens.
String or UUID changes made by this patch: None
Regarding ESR, there's no need to take this. It regressed in FF13.
Attachment #632965 -
Flags: approval-mozilla-beta?
Attachment #632965 -
Flags: approval-mozilla-aurora?
|
||
Comment 10•13 years ago
|
||
(removing keywords because bug 723313 has been identified as the regressor)
Keywords: qawanted,
regressionwindow-wanted
|
||
Comment 11•13 years ago
|
||
Comment on attachment 632965 [details] [diff] [review]
patch
low risk, sec critical - approving.
Attachment #632965 -
Flags: approval-mozilla-beta?
Attachment #632965 -
Flags: approval-mozilla-beta+
Attachment #632965 -
Flags: approval-mozilla-aurora?
Attachment #632965 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 12•13 years ago
|
||
|
|
Reporter | |
Comment 13•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Crash Signature: [@ js::gc::MarkInternal<JSString>]
[@ compartment] → [@ js::gc::MarkInternal<JSString>]
[@ compartment]
|
|
||
Updated•13 years ago
|
Crash Signature: [@ js::gc::MarkInternal<JSString>]
[@ compartment] → [@ js::gc::MarkInternal<JSString>]
[@ compartment]
status-firefox-esr10:
--- → unaffected
|
||
Updated•13 years ago
|
Whiteboard: [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore] → [js:p1:fx16][sg:critical][jsbugmon:verify-branch=mozilla-aurora;mozilla-beta;mozilla-release,ignore][advisory-tracking+]
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
Reporter | |
Comment 14•12 years ago
|
||
Test is too slow to be added and I did not succeed in rewriting, marking in-testsuite-.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•