Closed
Bug 972951
Opened 10 years ago
Closed 10 years ago
Various crashes/assertions with gcparam and markStackLimit
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla30
Tracking | Status | |
---|---|---|
firefox30 | --- | affected |
People
(Reporter: decoder, Assigned: decoder)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update,bisect][fuzzblocker])
Attachments
(1 file)
974 bytes,
patch
|
evilpie
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 6687d299c464 (run with --fuzzing-safe): gcparam('markStackLimit', .4 );
Assignee | ||
Comment 1•10 years ago
|
||
This causes various crashes and assertions, but I assume it's shell-only. However, because of the crash types, this should be considered a fuzzblocker (they easily look like sec-high/sec-critical issues).
Keywords: assertion
Whiteboard: [jsbugmon:update,bisect][fuzzblocker]
Assignee | ||
Updated•10 years ago
|
status-firefox30:
--- → affected
Assignee | ||
Comment 2•10 years ago
|
||
So the problem is simple. Although the error message in GCParameter seems to indicate that we check for a non-zero value, we don't. The conversion silently converts any non-integers to 0 and we get a crash.
Updated•10 years ago
|
Attachment #8376720 -
Flags: review?(evilpies) → review+
Assignee | ||
Comment 3•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/4fadd825bf81
Comment 4•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/4fadd825bf81
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla30
You need to log in
before you can comment on or make changes to this bug.
Description
•