The following testcase crashes on mozilla-central revision b980c2dee2e7 (run with --fuzzing-safe --ion-eager): var GLOBAL = this + ''; function TestCase(n, d, e, a) { this.passed = getTestCaseResult(e, a); } TestCase.prototype.dump = function () {} function getTestCaseResult(expected, actual) { return actual == expected; } function writeHeaderToLog( string ) {} evaluate('\ var SECTION = "proto_8";\ writeHeaderToLog(SECTION);\ function Employee ( name, dept ) {\ this.dept = "general";\ }\ function WorkerBee ( name, dept, projs ) {\ this.base = Employee;\ }\ WorkerBee.prototype = new Employee();\ function Engineer ( name, projs, machine ) {\ this.base = WorkerBee;\ this.base(projs)\ }\ Engineer.prototype = new WorkerBee();\ var pat = new Engineer();\ for ( var machine in 6) base(projs, [17, 42]);\ new TestCase( SECTION, "pat.dept", "engineering", pat.dept);\ ', { noScriptRval : true });

JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: http://hg.mozilla.org/mozilla-central/rev/81b505e9a435 user: Brian Hackett date: Thu Oct 17 10:21:05 2013 -0600 summary: Bug 925962 - Track expected contents of stack type sets in compiler constraints, r=jandem. This iteration took 366.526 seconds to run.

The definite properties analysis relies on the stack type sets in a script reflecting types which IonBuilder assumed were there, so that the definite properties information is invalidated properly when the information changes (the analysis looks for type sets containing singleton functions inlined by the builder). Since bug 925962, however, the type sets are not updated until FinishCompilation, which is never called by the definite properties analysis, and the necessary constraints aren't added.

Comment on attachment 8350355 [details] [diff] [review] patch [Security approval request comment] How easily could an exploit be constructed based on the patch? Not at all. Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem? No. Which older supported branches are affected by this flaw? Aurora -> Beta If not all supported branches, which bug introduced the flaw? bug 925962 Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be? Trivial. How likely is this patch to cause regressions; how much testing does it need? Not at all. [Approval Request Comment] Bug caused by (feature/regressing bug #): bug 925962 User impact if declined: potential exploit Testing completed (on m-c, etc.): none Risk to taking this patch (and alternatives if risky): none

This needs a security rating in order to get sec-approval (and for any potential advisories). Is this crash exploitable? Can it be triggered by web content or just via the shell?

Comment on attachment 8350355 [details] [diff] [review] patch sec-approval+.

is "Add type constraints at the right time" a good commit message for this?

JSBugMon: This bug has been automatically verified fixed.

https://hg.mozilla.org/releases/mozilla-aurora/rev/9b1fc11fc883 https://hg.mozilla.org/releases/mozilla-beta/rev/fcd21692c906

Bustage follow-up. https://hg.mozilla.org/releases/mozilla-aurora/rev/5f4b72d2478f https://hg.mozilla.org/releases/mozilla-beta/rev/db102e35eec3