Closed
Bug 815241
Opened 12 years ago
Closed 6 years ago
Assert or crash on shutdown with gczeal(9, 2)
Categories
(Core :: JavaScript: GC, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 801721
People
(Reporter: jruderman, Unassigned)
References
Details
(4 keywords)
Crash Data
Attachments
(3 files)
1. Create a new profile (mkdir -p ~/px/a; firefox -profile ~/px/a) 2. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 3. Run Firefox with the testcase filename on the command line. 4. Wait for the browser to exit (gczeal makes this take several minutes) Result with a local debug build: Assertion failure: cx->iterValue.isMagic(JS_NO_ITER_VALUE), at js/src/jsinterp.cpp:342 Result with a Tinderbox build: Crash [@ MarkValueInternal] js> help(gczeal) 9: Incremental GC in two slices: 1) mark all 2) new marking and finish
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Updated•12 years ago
|
Crash Signature: [@ MarkValueInternal]
Comment 3•12 years ago
|
||
I have no idea how to rate this or if it's even a security issue given the crash on null. Is there any other bad values that can creep in here?
Not sure how serious this is. I'll take a look.
Assignee: general → wmccloskey
I'm adding a dependency on bug 801721 that's the assertion that fires. Once that bug is fixed we'll need to run it again and see if anything bad happens.
Depends on: 801721
Comment 7•11 years ago
|
||
I'm looking at old security bugs. Bill, how serious is this?
Flags: needinfo?(wmccloskey)
I don't know much about the assertion. It would certainly be nice to fix it since we've had bugs and crashes related to it for over a year. It has something to do with the slow script dialog. Basically, if we run long enough to get the slow script dialog in debug builds, we seem to assert in this way. The opt crash might not be serious. It looks like a NULL pointer deref that might be related to the assertion. I don't think I was ever able to reproduce it though.
Flags: needinfo?(wmccloskey)
Comment 9•11 years ago
|
||
See also bug 853001, which we continue to hit intermittently on TBPL.
Updated•10 years ago
|
Group: javascript-core-security
Updated•10 years ago
|
Group: javascript-core-security
Assignee: wmccloskey → nobody
Reporter | ||
Comment 10•9 years ago
|
||
This is trivial to find even without a fuzzer, and sounds like it's not a big problem, so I'm making it public.
Group: core-security
Updated•8 years ago
|
Component: JavaScript Engine → JavaScript: GC
Jon, is this still applicable?
Flags: needinfo?(jcoppeard)
Comment 12•6 years ago
|
||
I think since bug 801721 is resolved, this is probably fine.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•