"Assertion failure: inUse_.empty(),"

VERIFIED FIXED in Firefox 21

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla21
x86_64
Mac OS X
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox18 unaffected, firefox19 unaffected, firefox20 unaffected, firefox21+ fixed, firefox-esr10 unaffected, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 703179 [details]
stack

String.prototype.search = evalcx('').String.prototype.search
x = /./.test()
''.search(/()/)

asserts js debug shell on m-c changeset ce9cdd801a73 without any CLI arguments at Assertion failure: inUse_.empty(),

s-s because gc is on the stack.

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   118977:f2e3d3913d70
user:        Sean Stangl
date:        Tue Jan 15 15:35:25 2013 -0800
summary:     Bug 829758 - use MatchOnly mode for str_search(). r=dvander
(Reporter)

Comment 1

5 years ago
Sean, this seems to point to bug 829758 as the regressor.
status-b2g18: --- → unaffected
status-firefox-esr10: --- → unaffected
status-firefox18: --- → unaffected
status-firefox19: --- → unaffected
status-firefox20: --- → unaffected
status-firefox21: --- → affected
status-firefox-esr17: --- → unaffected
Flags: needinfo?(sstangl)
(Reporter)

Updated

5 years ago
tracking-firefox21: --- → ?
(Reporter)

Comment 2

5 years ago
Tentatively rating sec-critical, because compartments and gc are on the stack.
(Reporter)

Updated

5 years ago
Keywords: sec-critical
Created attachment 703610 [details] [diff] [review]
fix

evalcx() lets multiple RegExpStatics leak into the same RegExpCompartment's RegExpShared usage table. This is safe: we just need to iterate in the destructor.
Attachment #703610 - Flags: review?(dvander)
Flags: needinfo?(sstangl)
Attachment #703610 - Flags: review?(dvander) → review+
(Reporter)

Updated

5 years ago
Keywords: checkin-needed
(Reporter)

Updated

5 years ago
Keywords: checkin-needed

Updated

5 years ago
tracking-firefox21: ? → +
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 02e12a80aef9).
(Reporter)

Comment 6

5 years ago
This landed.

http://hg.mozilla.org/mozilla-central/rev/4e7658d7727c
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox21: affected → fixed
Resolution: --- → FIXED
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,bisectfix]
Target Milestone: --- → mozilla21
(Reporter)

Updated

5 years ago
Whiteboard: [jsbugmon:update,bisectfix] → [jsbugmon:update]
Status: RESOLVED → VERIFIED
JSBugMon: This bug has been automatically verified fixed.
Group: core-security
You need to log in before you can comment on or make changes to this bug.