Closed Bug 815241 Opened 12 years ago Closed 6 years ago

Assert or crash on shutdown with gczeal(9, 2)

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED DUPLICATE of bug 801721

People

(Reporter: jruderman, Unassigned)

References

Details

(4 keywords)

Crash Data

Attachments

(3 files)

testcase (see comment 0)
214 bytes, application/xml
Details
stack trace for assertion
7.23 KB, text/plain
Details
stack trace for crash
16.50 KB, text/plain
Details 
1. Create a new profile (mkdir -p ~/px/a; firefox -profile ~/px/a)
2. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi
3. Run Firefox with the testcase filename on the command line.
4. Wait for the browser to exit (gczeal makes this take several minutes)


Result with a local debug build:
Assertion failure: cx->iterValue.isMagic(JS_NO_ITER_VALUE), at js/src/jsinterp.cpp:342

Result with a Tinderbox build:

Crash [@ MarkValueInternal]


js> help(gczeal)       
    9: Incremental GC in two slices: 1) mark all 2) new marking and finish

    
    

    
  

      
      
      
      

        Attached file
          
        stack trace for crash
      

    


  

    
  
Crash Signature: [@ MarkValueInternal]

    
    

    
  
I have no idea how to rate this or if it's even a security issue given the crash on null. Is there any other bad values that can creep in here?

    
    

    
  
Not sure how serious this is. I'll take a look.
Assignee: general → wmccloskey

    
    

    
  
I'm adding a dependency on bug 801721 that's the assertion that fires. Once that bug is fixed we'll need to run it again and see if anything bad happens.
Depends on: 801721

    
    

    
  
totally guessing at "sec-moderate"
Keywords: sec-moderate

    
    

    
  
I'm looking at old security bugs. Bill, how serious is this?
Flags: needinfo?(wmccloskey)

    
    

    
  
I don't know much about the assertion. It would certainly be nice to fix it since we've had bugs and crashes related to it for over a year. It has something to do with the slow script dialog. Basically, if we run long enough to get the slow script dialog in debug builds, we seem to assert in this way.

The opt crash might not be serious. It looks like a NULL pointer deref that might be related to the assertion. I don't think I was ever able to reproduce it though.
Flags: needinfo?(wmccloskey)

    
    

    
  
See also bug 853001, which we continue to hit intermittently on TBPL.
Group: javascript-core-security
Group: javascript-core-security
Assignee: wmccloskey → nobody

    
    

    
  
This is trivial to find even without a fuzzer, and sounds like it's not a big problem, so I'm making it public.
Group: core-security
Component: JavaScript Engine → JavaScript: GC

    
    

    
  
Jon, is this still applicable?
Flags: needinfo?(jcoppeard)

    
    

    
  
I think since bug 801721 is resolved, this is probably fine.
Status: NEW → RESOLVED
Closed: 6 years ago
Flags: needinfo?(jcoppeard)
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: