Closed
Bug 821013
Opened 12 years ago
Closed 12 years ago
"Assertion failure: !InNoGCScope(),"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla20
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | --- | unaffected |
| firefox19 | --- | unaffected |
| firefox20 | - | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: terrence)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [fuzzblocker][jsbugmon:update])
Attachments
(2 files)
|
6.06 KB,
text/plain
|
Details | |
|
1.34 KB,
patch
|
billm
:
review+
|
Details | Diff | Splinter Review |
for each(let c in [
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
0, 0, 0, 0, 0, 0, 0, 0, 0, ({'0': 0})
]) {}
asserts js debug shell on m-c changeset 1cc19f36ee66 with --no-jm at Assertion failure: !InNoGCScope(),
s-s because GC is in the stack. I'll leave it up to the devs or someone else to take a stab at the security rating.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 115711:9602f98a6a70
user: Terrence Cole
date: Wed Dec 05 14:21:44 2012 -0800
summary: Bug 819118 - Use accessor rather than direct script access; r=billm
|
||
Updated•12 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:]
|
|
||
Comment 1•12 years ago
|
||
Cannot process bug: Unable to reproduce bug on original revision.
|
Reporter | |
Comment 2•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #1) > Cannot process bug: Unable to reproduce bug on original revision. I can definitely reproduce this, on Mac 64-bit. It's showing up on the tinderbox shells as well, at least for Linux 32-bit and Mac 64-bit. This is pretty easy to trigger.
Whiteboard: [jsbugmon:] → [fuzzblocker][jsbugmon:]
|
|
||
Comment 3•12 years ago
|
||
The problem might be that Bugmon doesn't try --no-jm
|
|
Reporter | |
Comment 4•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #3) > The problem might be that Bugmon doesn't try --no-jm Yes, that's the issue. The assertion goes away without --no-jm.
|
|
||
Comment 5•12 years ago
|
||
Added the option, let's give it a try.
Whiteboard: [fuzzblocker][jsbugmon:] → [fuzzblocker][jsbugmon:update]
|
Assignee | |
Comment 6•12 years ago
|
||
Good find. Not sec-sensitive until we turn on exact rooting.
Assignee: general → terrence
Group: core-security
|
|
Assignee | |
Comment 7•12 years ago
|
||
Root the script, since elementWriteIsDenseArray can GC.
Attachment #691541 -
Flags: review?(wmccloskey)
Attachment #691541 -
Flags: review?(wmccloskey) → review+
|
|
Assignee | |
Comment 8•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b2b21508b90b
|
||
Comment 9•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b2b21508b90b
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla20
|
||
Updated•12 years ago
|
|
|
Reporter | |
Comment 10•12 years ago
|
||
Test got landed -> VERIFIED and in-testsuite+.
Status: RESOLVED → VERIFIED
Flags: in-testsuite+
|
||
Updated•12 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•