Closed
Bug 926779
Opened 11 years ago
Closed 11 years ago
"Assertion failure: thing" with schedulegc, crypto exception
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla28
People
(Reporter: jruderman, Assigned: terrence)
Details
(Keywords: assertion, testcase)
Attachments
(3 files)
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi
2. Load the testcase
Assertion failure: thing, at js/src/gc/Marking.cpp:125
Reporter | ||
Comment 1•11 years ago
|
||
Comment 2•11 years ago
|
||
The stack includes mozilla::dom::TypedArrayObjectStorage::TraceSelf.
Comment 4•11 years ago
|
||
Looks unexploitable (and fairly easy to patch).
Comment 7•11 years ago
|
||
This may be a dupe of another bug that was fixed, where it was forwarding to the wrong window, so somebody should retest.
Comment 8•11 years ago
|
||
Bug 927901 that is.
Assignee | ||
Comment 9•11 years ago
|
||
Yeah, this is pretty silly. The code in |getRandomValues| is doing:
RootedTypedArray<ArrayBufferView > arg0(cx);
if (!args[0].isObject()) {
ThrowErrorMessage(cx, MSG_NOT_OBJECT, "Argument 1 of Crypto.getRandomValues");
// Crash happens ^^ when we GC with a default constructed ArrayBufferView
// on stack because it tries to mark nullptr.
return false;
}
I think the right fix is to make the default constructed view safely traceable.
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Attachment #823394 -
Flags: review?(efaustbmo)
Flags: needinfo?(terrence)
Comment 10•11 years ago
|
||
Comment on attachment 823394 [details] [diff] [review]
typedarray_object_null_marking-v0.diff
Review of attachment 823394 [details] [diff] [review]:
-----------------------------------------------------------------
r=me. This seems like a fairly innocuous-looking use case, and in general, I think it's important that all default-constructed rooteds be tracable without everything blowing up.
Attachment #823394 -
Flags: review?(efaustbmo) → review+
Assignee | ||
Comment 11•11 years ago
|
||
Comment 12•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Comment 13•11 years ago
|
||
Reproduced on Nightly 2013-10-14-mozilla-central-debug.
Verified fixed Nightly 2013-12-08-mozilla-central-debug, Win 7 x64.
Status: RESOLVED → VERIFIED
You need to log in
before you can comment on or make changes to this bug.
Description
•