Crash [@ JSRuntime::~JSRuntime] or Assertion failure: nextTos <= end_, at jsgc.h

RESOLVED FIXED in Firefox 31

Status

()

defect
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: gkw, Assigned: jonco)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla31
x86_64
macOS
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox31 fixed)

Details

(Whiteboard: [jsbugmon:], crash signature)

Attachments

(3 attachments)

Posted file stack
gcparam('markStackLimit', 13);
gcparam('markStackLimit', 27);

asserts js debug shell on m-c changeset ebdf2740dc3e with --no-asmjs --no-baseline --no-ion at Assertion failure: nextTos <= end_, at jsgc.h

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

s-s just in case, since this involves gc. I'm not sure if this is bad at all, having no idea about gcparam or markStackLimit.

Setting needinfo? from Terrence as a start.
Flags: needinfo?(terrence)
Posted file regression window
Flags: needinfo?(terrence)
Whoops, didn't mean to cancel needinfo here.
Flags: needinfo?(terrence)
Whiteboard: [jsbugmon:update] → [jsbugmon:]
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I don't think this is a security issue as gcparam() is only available in the shell.

The problem is that when we grow the mark stack, we clamp its size to the maximum set.  However, this may not allow enough space for the caller to push multiple values, and we hit an assert.  The fix is to check when we grow the stack and fail if the clamped size would not be large enough.
Assignee: nobody → jcoppeard
Flags: needinfo?(terrence)
Attachment #8406852 - Flags: review?(terrence)
Comment on attachment 8406852 [details] [diff] [review]
bug995657-markStackLimit

Review of attachment 8406852 [details] [diff] [review]:
-----------------------------------------------------------------

r=me
Attachment #8406852 - Flags: review?(terrence) → review+
(In reply to Jon Coppeard (:jonco) from comment #4)
> I don't think this is a security issue as gcparam() is only available in the
> shell.

Thanks! Opening up...
Group: core-security
Variants crash opt shell at JSRuntime::~JSRuntime.
Crash Signature: [@ JSRuntime::~JSRuntime]
Keywords: crash
Summary: Assertion failure: nextTos <= end_, at jsgc.h → Crash [@ JSRuntime::~JSRuntime] or Assertion failure: nextTos <= end_, at jsgc.h
https://hg.mozilla.org/mozilla-central/rev/a668d68c3592
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in before you can comment on or make changes to this bug.