Closed Bug 995657 Opened 10 years ago Closed 10 years ago

Crash [@ JSRuntime::~JSRuntime] or Assertion failure: nextTos <= end_, at jsgc.h

Categories

(Core :: JavaScript: GC, defect)

Product:
Core
Component:
JavaScript: GC
Platform:
x86_64
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla31
Tracking Flags:
Tracking Status
firefox31 --- fixed

People

(Reporter: gkw, Assigned: jonco)

Details

(4 keywords, Whiteboard: [jsbugmon:])

Crash Data

Attachments

(3 files)

stack
3.17 KB, text/plain
Details
regression window
83.04 KB, text/plain
Details
bug995657-markStackLimit
2.01 KB, patch
terrence
: review+
Details | Diff | Splinter Review
Attached file stack 
gcparam('markStackLimit', 13);
gcparam('markStackLimit', 27);

asserts js debug shell on m-c changeset ebdf2740dc3e with --no-asmjs --no-baseline --no-ion at Assertion failure: nextTos <= end_, at jsgc.h

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

s-s just in case, since this involves gc. I'm not sure if this is bad at all, having no idea about gcparam or markStackLimit.

Setting needinfo? from Terrence as a start.
Flags: needinfo?(terrence)
Flags: needinfo?(terrence)
Whoops, didn't mean to cancel needinfo here.
Flags: needinfo?(terrence)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I don't think this is a security issue as gcparam() is only available in the shell.

The problem is that when we grow the mark stack, we clamp its size to the maximum set.  However, this may not allow enough space for the caller to push multiple values, and we hit an assert.  The fix is to check when we grow the stack and fail if the clamped size would not be large enough.
Assignee: nobody → jcoppeard
Flags: needinfo?(terrence)

        Attachment #8406852 -
        Flags: review?(terrence)

    
    

    
  
Comment on attachment 8406852 [details] [diff] [review]
bug995657-markStackLimit

Review of attachment 8406852 [details] [diff] [review]:
-----------------------------------------------------------------

r=me

        Attachment #8406852 -
        Flags: review?(terrence) → review+

    
    

    
  
(In reply to Jon Coppeard (:jonco) from comment #4)
> I don't think this is a security issue as gcparam() is only available in the
> shell.

Thanks! Opening up...
Group: core-security

    
    

    
  
Variants crash opt shell at JSRuntime::~JSRuntime.
Crash Signature: [@ JSRuntime::~JSRuntime]
Keywords: crash
Summary: Assertion failure: nextTos <= end_, at jsgc.h → Crash [@ JSRuntime::~JSRuntime] or Assertion failure: nextTos <= end_, at jsgc.h

    
    

    
  
https://hg.mozilla.org/mozilla-central/rev/a668d68c3592
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: