gcparam('markStackLimit', 13); gcparam('markStackLimit', 27); asserts js debug shell on m-c changeset ebdf2740dc3e with --no-asmjs --no-baseline --no-ion at Assertion failure: nextTos <= end_, at jsgc.h My configure flags are: CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-optimize --enable-debug --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options> s-s just in case, since this involves gc. I'm not sure if this is bad at all, having no idea about gcparam or markStackLimit. Setting needinfo? from Terrence as a start.
Whoops, didn't mean to cancel needinfo here.
JSBugMon: Cannot process bug: Unable to automatically reproduce, please track manually.
I don't think this is a security issue as gcparam() is only available in the shell. The problem is that when we grow the mark stack, we clamp its size to the maximum set. However, this may not allow enough space for the caller to push multiple values, and we hit an assert. The fix is to check when we grow the stack and fail if the clamped size would not be large enough.
Assignee: nobody → jcoppeard
Comment on attachment 8406852 [details] [diff] [review] bug995657-markStackLimit Review of attachment 8406852 [details] [diff] [review]: ----------------------------------------------------------------- r=me
Attachment #8406852 - Flags: review?(terrence) → review+
(In reply to Jon Coppeard (:jonco) from comment #4) > I don't think this is a security issue as gcparam() is only available in the > shell. Thanks! Opening up...
Variants crash opt shell at JSRuntime::~JSRuntime.
Crash Signature: [@ JSRuntime::~JSRuntime]
Summary: Assertion failure: nextTos <= end_, at jsgc.h → Crash [@ JSRuntime::~JSRuntime] or Assertion failure: nextTos <= end_, at jsgc.h
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla31
You need to log in before you can comment on or make changes to this bug.