Various crashes/assertions with gcparam and markStackLimit

RESOLVED FIXED in mozilla30

Status

()

defect
--
critical
RESOLVED FIXED
6 years ago
6 years ago

People

(Reporter: decoder, Assigned: decoder)

Tracking

(Blocks 1 bug, {assertion, crash, testcase})

Trunk
mozilla30
x86_64
Linux
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox30 affected)

Details

(Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision 6687d299c464 (run with --fuzzing-safe):


gcparam('markStackLimit', .4 );
This causes various crashes and assertions, but I assume it's shell-only. However, because of the crash types, this should be considered a fuzzblocker (they easily look like sec-high/sec-critical issues).
Keywords: assertion
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Posted patch gcparam.patchSplinter Review
So the problem is simple. Although the error message in GCParameter seems to indicate that we check for a non-zero value, we don't. The conversion silently converts any non-integers to 0 and we get a crash.
Assignee: nobody → choller
Status: NEW → ASSIGNED
Attachment #8376720 - Flags: review?(evilpies)
Attachment #8376720 - Flags: review?(evilpies) → review+
https://hg.mozilla.org/mozilla-central/rev/4fadd825bf81
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.