Bugzilla@Mozilla – Bug 514999
TM: "Assertion failure: thing, at ../jsgc.cpp"
Last modified: 2010-01-25 00:06:56 PST
Summon comment box
(function () { (eval("\ (function () {\ for (var y = 0; y < 16; ++y) {\ if (y % 3 == 2) {\ gczeal(1);\ } else {\ print(0 / 0);\ }\ }\ });\ "))() })(); asserts js debug shell with -j at Assertion failure: thing, at ../jsgc.cpp:2610 Brendan says (and I confirmed) that this is most probably related to bug 513981. Security-sensitive since bug 513981 is locked too.
TM branch tip too.
Awesome fuzzer work Gary. This is really bad news. Its very likely 513981 as you suspected.
It doesn't crash if I use TMFLAGS=full. This is going to be fun.
(In reply to comment #2) > Awesome fuzzer work Gary. This is really bad news. Its very likely 513981 as > you suspected. As *I* suspect :-P. See bug 514819 comment 28. /be
(In reply to comment #0) > Brendan says (and I confirmed) that this is most probably related to bug > 513981. Security-sensitive since bug 513981 is locked too. (In reply to comment #4) > (In reply to comment #2) > > Awesome fuzzer work Gary. This is really bad news. Its very likely 513981 as > > you suspected. > > As *I* suspect :-P. See bug 514819 comment 28. > > /be Yeah, I (or autoBisect) only get partial credit, full credit goes out to Brendan. ;-)
Created attachment 399034 [details] [review] patch
I concur with blocking and this is also needed for the 3.5 branch.
sayrer, this and the other patch should go on trunk to make asap (assuming I get review for this and tryserver doesn't hate me)
bake, not make
I am getting a trace-test failure with the patch. Investigating.
This is not a security issue per se tho right? Trying to figure out sg: rating.
I'd rate this as sg:critical. At the very least, if this particular bug is checked in as-is, it leaves a sg:critical bug in its wake.
Created attachment 399641 [details] [review] patch We can re-enter the interpreter while an outer use of nativeVp is still active, so we have to move nativeVp from cx to InterpState (debugged by Blake).
Comment on attachment 399641 [details] [review] patch Looks good.
http://hg.mozilla.org/tracemonkey/rev/2bcc3e339a63
Busted trace tests, gczeal is not defined in opt build. Fixing.
http://hg.mozilla.org/tracemonkey/rev/dad8ab8cb1dd should have fixed it, back in a bit to confirm.
Thanks graydon.
We'll switch this to blocking the next specific 1.9.1.x after it lands on trunk and 1.9.2 successfully.
http://hg.mozilla.org/mozilla-central/rev/2bcc3e339a63
http://hg.mozilla.org/mozilla-central/rev/dad8ab8cb1dd
http://hg.mozilla.org/releases/mozilla-1.9.2/rev/1d34cd47bfab
js/src/trace-test/tests/basic/testNativeArgsRooting.js
v 1.9.3, 1.9.2
Comment on attachment 399641 [details] [review] patch Approved for 1.9.1.5, a=dveditz for release-drivers
andreas, this doesn't apply to 1.9.1, can you refresh it?
Looking.
I am going to have to drop parts of the patch that fix the problem for getters/setters (since thats not on 191). If we ever take the getters/setters patch on top of this patch, we will lose those changes, create a gc hazard, and shoot ourselves in the foot. Fair warning.
Actually 1.9.1 looks quite a bit different than what we tested with. I am not sure I am comfortable dropping this into a release based on my manual rebasing only.
Ok no wonder this doesn't work. 513981 is missing in between.
Ok on top of 513981 this looks manageable. Warning about getter/setter patch still applies. Patch in a sec.
Created attachment 410351 [details] [review] patch for 1.9.1
Blake, could you land this for me?
http://hg.mozilla.org/releases/mozilla-1.9.1/rev/290980a8887e
Bob, can you verify this on the 1.9.1 nightly?
v 1.9.1, testcase in comment 0 does not assert on 1.9.1 mac debug shell.