Closed
Bug 755750
Opened 12 years ago
Closed 12 years ago
Assertion failure: [infer failure] Missing type pushed 0: [0xf6c00180], at jsinfer.cpp:352
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
| Tracking | Status | |
|---|---|---|
| firefox12 | --- | unaffected |
| firefox13 | --- | fixed |
| firefox14 | + | fixed |
| firefox15 | + | verified |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore][advisory-tracking+])
Attachments
(1 file)
|
(deleted),
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 00c7a320165b (options -m -n):
test();
function test() {
schedulegc(100);
var o = { __proto__: function(){} };
for (var j = 0; j < 30000; ++j) { try { o.call(3); } catch (e) { } }
}
S-s due to infer failure and GC-relatedness.
Assignee: general → wmccloskey
|
||
Updated•12 years ago
|
Keywords: sec-critical
Whiteboard: js-triage-needed [jsbugmon:update] → [js:p1:fx16][jsbugmon:update][sg:critical]
|
||
Updated•12 years ago
|
Keywords: regressionwindow-wanted
|
||
Comment 1•12 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 89922:149eff9b7b92
parent: 89911:d9491b6074a4
user: Brian Hackett
date: Wed Mar 21 07:37:43 2012 -0600
summary: Use singleton types for global object initializers, bug 731398. r=dvander
Blocks: 731398
Keywords: regressionwindow-wanted → regression
|
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox12:
--- → unaffected
status-firefox13:
--- → unaffected
tracking-firefox14:
--- → ?
tracking-firefox15:
--- → ?
|
Reporter | |
Comment 2•12 years ago
|
||
The first bad revision is:
changeset: 89922:149eff9b7b92
parent: 89911:d9491b6074a4
user: Brian Hackett
date: Wed Mar 21 07:37:43 2012 -0600
summary: Use singleton types for global object initializers, bug 731398. r=dvander
|
Assignee | |
Comment 3•12 years ago
|
||
Autobisect is wrong (conservative stack scanner), this is an older issue where if the prototype of an initializer object is mutated and a GC triggered before the code it was allocated in is analyzed, the old type object for the initializer can be collected and the information that its prototype has been mutated will be wiped out.
Assignee: wmccloskey → bhackett1024
Attachment #625418 -
Flags: review?(dvander)
|
|
||
Updated•12 years ago
|
Attachment #625418 -
Flags: review?(dvander) → review+
|
|
Assignee | |
Comment 5•12 years ago
|
||
|
|
Assignee | |
Comment 6•12 years ago
|
||
Comment on attachment 625418 [details] [diff] [review]
patch
[Approval Request Comment]
Bug caused by (feature/regressing bug #): TI
User impact if declined: Potential, difficult to exploit vulnerability.
Risk to taking this patch (and alternatives if risky): None.
Attachment #625418 -
Flags: approval-mozilla-beta?
Attachment #625418 -
Flags: approval-mozilla-aurora?
|
|
Reporter | |
Comment 7•12 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ce618ce8d84a).
|
|
Reporter | |
Updated•12 years ago
|
Whiteboard: [js:p1:fx16][jsbugmon:update][sg:critical] → [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore]
|
||
Comment 8•12 years ago
|
||
Status: NEW → RESOLVED
Closed: 12 years ago
status-firefox15:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
|
|
Reporter | |
Comment 9•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Reporter | |
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 10•12 years ago
|
||
Comment on attachment 625418 [details] [diff] [review]
patch
[Triage Comment]
Low risk fix for an sg:crit - approved for Aurora 14 and Beta 13. Please land asap to make it into Beta 5 (going to build today).
Attachment #625418 -
Flags: approval-mozilla-beta?
Attachment #625418 -
Flags: approval-mozilla-beta+
Attachment #625418 -
Flags: approval-mozilla-aurora?
Attachment #625418 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 11•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/cb1661106d95
https://hg.mozilla.org/releases/mozilla-beta/rev/a1ff8cc41063
status-firefox14:
--- → fixed
|
||
Updated•12 years ago
|
Whiteboard: [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore] → [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore][advisory-tracking+]
|
||
Comment 12•12 years ago
|
||
Verified fixed with Firefox 15.0a2 2012-06-22 debug shell.
|
|
||
Updated•12 years ago
|
Group: core-security
|
|
Reporter | |
Comment 13•12 years ago
|
||
Automatically extracted testcase for this bug was committed:
https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•