Assertion failure: addr % Cell::CellSize == 0, at ../../gc/Heap.h:846 with OOM

RESOLVED DUPLICATE of bug 797469

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 797469
5 years ago
4 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
x86_64
Linux
assertion, testcase
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [ion:p1] [jsbugmon:update,ignore])

(Reporter)

Description

5 years ago
The following testcase asserts on mozilla-central revision 70337fa2fe62 (no options required):


var lfcode = new Array();
lfcode.push("gcparam(\"maxBytes\", gcparam(\"gcBytes\") + 1024);");
lfcode.push("if (!deepEqual(a[prop], b[prop]))");
while (true) {
  var file = lfcode.shift(); if (file == undefined) { break; }
  loadFile(file)
}
function loadFile(lfVarx) {
  eval(lfVarx);
}
(Reporter)

Comment 1

5 years ago
Although this is an out-of-memory condition, it still showed a crash and the CellSize assertion which is known to be security relevant. Not sure if this is IonMonkey-related, Ccing devs.
Whiteboard: [jsbugmon:update,bisect]
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update,bisect][ion:p1]
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisect][ion:p1] → [ion:p1] [jsbugmon:update]
(Reporter)

Comment 2

5 years ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   108900:ef321673c843
user:        Eddy Bruel
date:        Tue Oct 02 14:56:26 2012 +0200
summary:     Bug 795721 - Inherit FunctionBox from ObjectBox; r=njn

This iteration took 7.058 seconds to run.
(Reporter)

Comment 3

5 years ago
Likely a dup of bug 797469 then, waiting for that to land.
Depends on: 797469
(Reporter)

Updated

5 years ago
Whiteboard: [ion:p1] [jsbugmon:update] → [ion:p1] [jsbugmon:update,ignore]
(Reporter)

Comment 4

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 5cca0408a73f).
(Reporter)

Updated

5 years ago
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 797469
No longer depends on: 797469
Group: core-security
You need to log in before you can comment on or make changes to this bug.