Closed Bug 972951 Opened 10 years ago Closed 10 years ago

Various crashes/assertions with gcparam and markStackLimit

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla30
Tracking Flags:
Tracking Status
firefox30 --- affected

People

(Reporter: decoder, Assigned: decoder)

Details

(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Attachments

(1 file)

gcparam.patch
974 bytes, patch
evilpie
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 6687d299c464 (run with --fuzzing-safe):


gcparam('markStackLimit', .4 );
This causes various crashes and assertions, but I assume it's shell-only. However, because of the crash types, this should be considered a fuzzblocker (they easily look like sec-high/sec-critical issues).
Keywords: assertion
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Attached patch gcparam.patchSplinter Review 
So the problem is simple. Although the error message in GCParameter seems to indicate that we check for a non-zero value, we don't. The conversion silently converts any non-integers to 0 and we get a crash.
Assignee: nobody → choller
Status: NEW → ASSIGNED
Attachment #8376720 - Flags: review?(evilpies)
Attachment #8376720 - Flags: review?(evilpies) → review+
https://hg.mozilla.org/mozilla-central/rev/4fadd825bf81
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: