Closed Bug 783540 Opened 7 years ago Closed 7 years ago

Assertion failure: tag >= 0, at jsgc.cpp:2433 or Crash [@ js::gc::MarkInternal]

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla17
Tracking Status
firefox16 --- unaffected
firefox17 --- verified
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: luke)

References

(Blocks 1 open bug)

Details

(5 keywords, Whiteboard: [jsbugmon:update,ignore][adv-track-main17-])

Crash Data

Attachments

(1 file)

The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -n -a):


gczeal(2, 2)
var stringA = "abcdef";
var stringB = "ghijk";
var stringC = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz";
(stringA + stringB + stringC).replace('abc', 'AA')


Crash trace:

(Several errors before this that look similar)

==54999== Invalid read of size 4
==54999==    at 0x81F2FFF: void js::gc::MarkInternal<JSString>(JSTracer*, JSString**) (Heap.h:1010)
==54999==    by 0x81F4E3C: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:365)
==54999==    by 0x81F50E7: js::gc::MarkValueRootRange(JSTracer*, unsigned int, JS::Value*, char const*) (Marking.cpp:421)
==54999==    by 0x80A642D: JS::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:2435)
==54999==    by 0x80A6AC3: JS::AutoGCRooter::traceAll(JSTracer*) (jsgc.cpp:2442)
==54999==    by 0x80A9776: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.304 (jsgc.cpp:2491)
==54999==    by 0x80AE233: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3283)
==54999==    by 0x80AF2C9: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4131)
==54999==    by 0x80B04C6: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4239)
==54999==    by 0x80B0755: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4536)
==54999==    by 0x8132198: _ZN2js2gc10NewGCThingI13JSShortStringEEPT_P9JSContextNS0_9AllocKindEj.clone.337 (jsgcinlines.h:446)
==54999==    by 0x8134758: js_NewDependentString(JSContext*, JSString*, unsigned int, unsigned int) (jsgcinlines.h:520)
==54999==  Address 0x4c45c000 is not stack'd, malloc'd or (recently) free'd


Dangerous crash => s-s.
Attached patch fix and testSplinter Review
STRINGVECTOR is just missing for the switch, it seems.
Attachment #652781 - Flags: review?(bhackett1024)
Blocks: 772303
Attachment #652781 - Flags: review?(bhackett1024) → review+
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f9a8fdb08193).
https://hg.mozilla.org/mozilla-central/rev/1baaa5534998
Assignee: general → luke
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-track-main17-]
Flags: in-testsuite+
Keywords: sec-high
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.