Various crashes/assertions with gcparam and markStackLimit

RESOLVED FIXED in mozilla30

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: decoder, Assigned: decoder)

Tracking

(Blocks: 1 bug, {assertion, crash, testcase})

Trunk
mozilla30
x86_64
Linux
assertion, crash, testcase
Points:
---

Firefox Tracking Flags

(firefox30 affected)

Details

(Whiteboard: [jsbugmon:update,bisect][fuzzblocker])

Attachments

(1 attachment)

(Assignee)

Description

4 years ago
The following testcase crashes on mozilla-central revision 6687d299c464 (run with --fuzzing-safe):


gcparam('markStackLimit', .4 );
(Assignee)

Comment 1

4 years ago
This causes various crashes and assertions, but I assume it's shell-only. However, because of the crash types, this should be considered a fuzzblocker (they easily look like sec-high/sec-critical issues).
Keywords: assertion
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
(Assignee)

Updated

4 years ago
status-firefox30: --- → affected
(Assignee)

Comment 2

4 years ago
Created attachment 8376720 [details] [diff] [review]
gcparam.patch

So the problem is simple. Although the error message in GCParameter seems to indicate that we check for a non-zero value, we don't. The conversion silently converts any non-integers to 0 and we get a crash.
Assignee: nobody → choller
Status: NEW → ASSIGNED
Attachment #8376720 - Flags: review?(evilpies)
Attachment #8376720 - Flags: review?(evilpies) → review+
https://hg.mozilla.org/mozilla-central/rev/4fadd825bf81
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in before you can comment on or make changes to this bug.