Closed
Bug 821013
Opened 12 years ago
Closed 12 years ago
"Assertion failure: !InNoGCScope(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
Tracking | Status | |
---|---|---|
firefox17 | --- | unaffected |
firefox18 | --- | unaffected |
firefox19 | --- | unaffected |
firefox20 | - | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(2 files)
6.06 KB,
text/plain
|
Details | |
1.34 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
for each(let c in [ 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, ({'0': 0}) ]) {} asserts js debug shell on m-c changeset 1cc19f36ee66 with --no-jm at Assertion failure: !InNoGCScope(), s-s because GC is in the stack. I'll leave it up to the devs or someone else to take a stab at the security rating. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 115711:9602f98a6a70 user: Terrence Cole date: Wed Dec 05 14:21:44 2012 -0800 summary: Bug 819118 - Use accessor rather than direct script access; r=billm
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
Comment 1•12 years ago
|
||
Cannot process bug: Unable to reproduce bug on original revision.
Reporter | ||
Comment 2•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #1) > Cannot process bug: Unable to reproduce bug on original revision. I can definitely reproduce this, on Mac 64-bit. It's showing up on the tinderbox shells as well, at least for Linux 32-bit and Mac 64-bit. This is pretty easy to trigger.
Whiteboard: [jsbugmon:] → [fuzzblocker][jsbugmon:]
Comment 3•12 years ago
|
||
The problem might be that Bugmon doesn't try --no-jm
Reporter | ||
Comment 4•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > The problem might be that Bugmon doesn't try --no-jm Yes, that's the issue. The assertion goes away without --no-jm.
Comment 5•12 years ago
|
||
Added the option, let's give it a try.
Whiteboard: [fuzzblocker][jsbugmon:] → [fuzzblocker][jsbugmon:update]
Assignee | ||
Comment 6•12 years ago
|
||
Good find. Not sec-sensitive until we turn on exact rooting.
Assignee: general → terrence
Group: core-security
Assignee | ||
Comment 7•12 years ago
|
||
Root the script, since elementWriteIsDenseArray can GC.
Attachment #691541 -
Flags: review?(wmccloskey)
Attachment #691541 -
Flags: review?(wmccloskey) → review+
Assignee | ||
Comment 8•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2b21508b90b
Comment 9•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b2b21508b90b
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
Updated•12 years ago
|
Reporter | ||
Comment 10•12 years ago
|
||
Test got landed -> VERIFIED and in-testsuite+.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•