Assertion failure: tag >= 0, at jsgc.cpp:2433 or Crash [@ js::gc::MarkInternal]

VERIFIED FIXED in Firefox 17

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: decoder, Assigned: luke)

Tracking

(Blocks: 1 bug, 5 keywords)

Trunk
mozilla17
x86
Linux
assertion, crash, regression, sec-high, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox16 unaffected, firefox17 verified, firefox-esr10 unaffected)

Details

(Whiteboard: [jsbugmon:update,ignore][adv-track-main17-], crash signature)

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test crashes on mozilla-central revision 1ecca798b1fb (options -m -n -a):


gczeal(2, 2)
var stringA = "abcdef";
var stringB = "ghijk";
var stringC = "zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzz";
(stringA + stringB + stringC).replace('abc', 'AA')


Crash trace:

(Several errors before this that look similar)

==54999== Invalid read of size 4
==54999==    at 0x81F2FFF: void js::gc::MarkInternal<JSString>(JSTracer*, JSString**) (Heap.h:1010)
==54999==    by 0x81F4E3C: js::gc::MarkValueInternal(JSTracer*, JS::Value*) (Marking.cpp:365)
==54999==    by 0x81F50E7: js::gc::MarkValueRootRange(JSTracer*, unsigned int, JS::Value*, char const*) (Marking.cpp:421)
==54999==    by 0x80A642D: JS::AutoGCRooter::trace(JSTracer*) (jsgc.cpp:2435)
==54999==    by 0x80A6AC3: JS::AutoGCRooter::traceAll(JSTracer*) (jsgc.cpp:2442)
==54999==    by 0x80A9776: _ZN2jsL11MarkRuntimeEP8JSTracerb.clone.304 (jsgc.cpp:2491)
==54999==    by 0x80AE233: IncrementalCollectSlice(JSRuntime*, long long, js::gcreason::Reason, js::JSGCInvocationKind) (jsgc.cpp:3283)
==54999==    by 0x80AF2C9: GCCycle(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4131)
==54999==    by 0x80B04C6: Collect(JSRuntime*, bool, long long, js::JSGCInvocationKind, js::gcreason::Reason) (jsgc.cpp:4239)
==54999==    by 0x80B0755: js::gc::RunDebugGC(JSContext*) (jsgc.cpp:4536)
==54999==    by 0x8132198: _ZN2js2gc10NewGCThingI13JSShortStringEEPT_P9JSContextNS0_9AllocKindEj.clone.337 (jsgcinlines.h:446)
==54999==    by 0x8134758: js_NewDependentString(JSContext*, JSString*, unsigned int, unsigned int) (jsgcinlines.h:520)
==54999==  Address 0x4c45c000 is not stack'd, malloc'd or (recently) free'd


Dangerous crash => s-s.
(Assignee)

Comment 1

5 years ago
Created attachment 652781 [details] [diff] [review]
fix and test

STRINGVECTOR is just missing for the switch, it seems.
Attachment #652781 - Flags: review?(bhackett1024)
(Assignee)

Updated

5 years ago
Blocks: 772303
status-firefox-esr10: --- → unaffected
status-firefox16: --- → unaffected
status-firefox17: --- → affected
Attachment #652781 - Flags: review?(bhackett1024) → review+
(Assignee)

Comment 2

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1baaa5534998
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
(Reporter)

Comment 3

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision f9a8fdb08193).

Comment 4

5 years ago
https://hg.mozilla.org/mozilla-central/rev/1baaa5534998
Assignee: general → luke
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox17: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla17
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
(Reporter)

Comment 5

5 years ago
JSBugMon: This bug has been automatically verified fixed.
status-firefox17: fixed → verified
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-track-main17-]
Flags: in-testsuite+
Keywords: sec-high
Group: core-security
Keywords: regression
You need to log in before you can comment on or make changes to this bug.