Closed Bug 605011 Opened 14 years ago Closed 14 years ago

"Assertion failure: JS_CHECK_STACK_SIZE(cx->stackLimit, &stackDummy),"

Categories

(Core :: JavaScript Engine, defect)

x86
Windows 7
defect
Not set
critical

Tracking

()

RESOLVED FIXED
Tracking Status
blocking2.0 --- beta8+

People

(Reporter: gkw, Assigned: gwagner)

References

Details

(Keywords: assertion, regression, testcase, Whiteboard: [sg:nse (bogus assertion)?] fixed-in-tracemonkey)

Attachments

(1 file, 1 obsolete file)

function g(x, n) { for (var i = 0; i < n; ++i) { x = { a: x }; } return x; } d = g(0, 672); (function() { gczeal(2)(uneval(this)) })() asserts js debug shell on TM changeset 47a8311cf0bb without -m or -j at Assertion failure: JS_CHECK_STACK_SIZE(cx->stackLimit, &stackDummy),
Also, locking s-s due to presence of gczeal in testcase. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 54771:fd4510c77054 user: Gregor Wagner date: Tue Oct 05 10:09:50 2010 -0700 summary: Bug 600310 - TM: don't perform GC outside of stack quota r=igor
Blocks: 600310
Group: core-security
blocking2.0: ? → beta8+
This is the same as seen in bug 600139, an edge case where the assert is guaranteed to hit. Throwing an over-recursed error can cause a GC, and while you're overrecursed, you're probably beyond the stack limit. I don't know whether it's a security issue or not though.
I think we should replace the assert from the bug 600139, with one that alows for few more kilobytes of the stack space. That is, the functions that sets the stack limit should make it slightly smaller so the GC will have an extra room after the error. Gregor, do you have time to patch this?
Assignee: general → anygregor
Attached patch patch (obsolete) (deleted) — Splinter Review
This patch adds 4k to the stackLimit. Another possibility would be to check if we are already in an over-recursion error.
Attachment #484378 - Flags: review?(igor)
OS: Mac OS X → Windows 7
Whiteboard: [sg:nse (bogus assertion)?]
Attachment #484378 - Flags: review?(igor) → review+
Attached patch patch (deleted) — Splinter Review
It seems cx->stackLimit is not always set (jsapi-tests).
Attachment #484378 - Attachment is obsolete: true
Attachment #484423 - Flags: review?(igor)
Comment on attachment 484423 [details] [diff] [review] patch >diff -r 5bca7c8bd4c8 js/src/jsgc.cpp >--- a/js/src/jsgc.cpp Tue Oct 19 11:39:55 2010 -0700 >+++ b/js/src/jsgc.cpp Tue Oct 19 12:49:16 2010 -0700 >@@ -2558,17 +2558,22 @@ js_GC(JSContext *cx, JSGCInvocationKind > */ > if (rt->state != JSRTS_UP && gckind != GC_LAST_CONTEXT) > return; > > RecordNativeStackTopForGC(cx); > > #ifdef DEBUG > int stackDummy; >- JS_ASSERT(JS_CHECK_STACK_SIZE(cx->stackLimit, &stackDummy)); >+/* +-4k because it is possible to perform a GC during an overrecursion report. */ >+# if JS_STACK_GROWTH_DIRECTION > 0 >+ JS_ASSERT_IF(cx->stackLimit, JS_CHECK_STACK_SIZE(cx->stackLimit + 4096, &stackDummy)); For upward growing stacks cx->stackLimit is jsuword(-1) by default, the max value. r+ with that fixed.
Attachment #484423 - Flags: review?(igor) → review+
Whiteboard: [sg:nse (bogus assertion)?] → [sg:nse (bogus assertion)?] fixed-in-tracemonkey
(In reply to comment #7) > http://hg.mozilla.org/tracemonkey/rev/0bb000635fbd I was not clear in the comment 5. The suggestion was to change the assert into: JS_ASSERT_IF(cx->stackLimit != jsuword(-1), JS_CHECK_STACK_SIZE(cx->stackLimit + 4096, &stackDummy));
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Group: core-security
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: