Closed Bug 926779 Opened 11 years ago Closed 11 years ago

"Assertion failure: thing" with schedulegc, crypto exception

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla28

People

(Reporter: jruderman, Assigned: terrence)

Details

(Keywords: assertion, testcase)

Attachments

(3 files)

q10-p.html
229 bytes, text/html
Details
stack
18.13 KB, text/plain
Details
typedarray_object_null_marking-v0.diff
864 bytes, patch
efaust
: review+
Details | Diff | Splinter Review
Attached file q10-p.html
1. Install https://www.squarefree.com/extensions/domFuzzLite3.xpi 2. Load the testcase Assertion failure: thing, at js/src/gc/Marking.cpp:125
Attached file stack
The stack includes mozilla::dom::TypedArrayObjectStorage::TraceSelf.
Hitting an unexpected null doesn't sound too bad.
Keywords: sec-low
Looks unexploitable (and fairly easy to patch).
Unhiding.
Group: core-security
Keywords: sec-low
Needs an owner. I can promise a quick review.
Flags: needinfo?(terrence)
This may be a dupe of another bug that was fixed, where it was forwarding to the wrong window, so somebody should retest.
Yeah, this is pretty silly. The code in |getRandomValues| is doing: RootedTypedArray<ArrayBufferView > arg0(cx); if (!args[0].isObject()) { ThrowErrorMessage(cx, MSG_NOT_OBJECT, "Argument 1 of Crypto.getRandomValues"); // Crash happens ^^ when we GC with a default constructed ArrayBufferView // on stack because it tries to mark nullptr. return false; } I think the right fix is to make the default constructed view safely traceable.
Assignee: nobody → terrence
Status: NEW → ASSIGNED
Attachment #823394 - Flags: review?(efaustbmo)
Flags: needinfo?(terrence)
Comment on attachment 823394 [details] [diff] [review] typedarray_object_null_marking-v0.diff Review of attachment 823394 [details] [diff] [review]: ----------------------------------------------------------------- r=me. This seems like a fairly innocuous-looking use case, and in general, I think it's important that all default-constructed rooteds be tracable without everything blowing up.
Attachment #823394 - Flags: review?(efaustbmo) → review+
https://hg.mozilla.org/mozilla-central/rev/0147aa726de1
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Reproduced on Nightly 2013-10-14-mozilla-central-debug. Verified fixed Nightly 2013-12-08-mozilla-central-debug, Win 7 x64.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: