The following testcase asserts on mozilla-central revision 21d97baadc05 (run with --ion-eager): function MyObject( value ) { this.value = value; value &= value; } ForIn_1(new MyObject(true)); function ForIn_1( object) { for ( property in object ) { object[property] == eval(property) } }

S-s because infer failures can be security-relevant. Brian, can you look at this?

What does autobisect say?

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/81b505e9a435 user: Brian Hackett date: Thu Oct 17 10:21:05 2013 -0600 summary: Bug 925962 - Track expected contents of stack type sets in compiler constraints, r=jandem. This iteration took 0.841 seconds to run.

Brian, is bug 925962 likely related?

Marking sec-high for the infer failure. Adjust as desired.

This is an older issue actually, I think this problem was introduced in bug 902508. When deoptimizing argument type sets that are immediately coerced to integers we don't account for previous uses of the argument which may now be miscompiled. Before bug 925962 we still didn't add freeze constraints until the end of the compilation so were still vulnerable to this problem.

Comment on attachment 828843 [details] [diff] [review] patch Review of attachment 828843 [details] [diff] [review]: ----------------------------------------------------------------- No risk patch that affects aurora and beta but not release.

Comment on attachment 828843 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? Not easily. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? Aurora/Beta. If not all supported branches, which bug introduced the flaw? bug 902508 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Simple How likely is this patch to cause regressions; how much testing does it need? None

Comment on attachment 828843 [details] [diff] [review] patch Setting approvals. This looks simple so let's get it in.

https://hg.mozilla.org/integration/mozilla-inbound/rev/d69e44285df8 Can we land the test for this at some point?

Once this is on Aurora and Beta, we can land the test since the problem isn't in a final release (yet).

JSBugMon: This bug has been automatically verified fixed.

https://hg.mozilla.org/releases/mozilla-aurora/rev/6a029d2f649b https://hg.mozilla.org/releases/mozilla-beta/rev/7d49716fbea5

Argh, s/val/value on beta :( https://hg.mozilla.org/releases/mozilla-beta/rev/aeef13df6880

https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/7d49716fbea5 https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/aeef13df6880 That's everywhere. Please land the test :)