Closed Bug 950725 Opened 7 years ago Closed 7 years ago

Assertion failure: throwing, at jscntxt.h:584 with GC

Categories

(Core :: JavaScript Engine, defect)

x86
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla29

People

(Reporter: decoder, Assigned: jandem)

Details

(Keywords: assertion, testcase, Whiteboard: [jsbugmon:])

Attachments

(1 file)

The following testcase asserts on mozilla-central revision 9e03cd21db08 (threadsafe build, run with --ion-eager):


function test() {
  + T[g].act
}
gc();
for (var i = 0; i < 20; test['$+']) {
  try {
      __count__(f(2), 1);
  } catch (e) {}
}
Marked s-s because it involves GC. Jandem is already investigating this one.
Whiteboard: [jsbugmon:update,bisect]
Attached patch PatchSplinter Review
Silly bug: js_HandleExecutionInterrupt can end up calling clearPendingException (somewhere deep inside the parser, under AttachFinishedCompilations). The getPendingException call in GetAndClearException then fails.

This patch gets and clears the pending exception before calling js_HandleExecutionInterrupt.
Assignee: general → jdemooij
Status: NEW → ASSIGNED
Attachment #8348142 - Flags: review?(bhackett1024)
Attachment #8348142 - Flags: review?(bhackett1024) → review+
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:bisect]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
Whiteboard: [jsbugmon:bisect] → [jsbugmon:]
https://hg.mozilla.org/integration/mozilla-inbound/rev/323b1482feec

Also has a one-line fix for a VMFunction marking issue exposed by this patch; r=nbp on IRC for that.

Not security sensitive, we could get |undefined| instead of the actual exception value but that's not exploitable.
Group: core-security
https://hg.mozilla.org/mozilla-central/rev/323b1482feec
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla29
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.