Closed
Bug 1063182
Opened 10 years ago
Closed 10 years ago
Assertion failure: !hasLazyType(), at vm/ObjectImpl.h:603
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla35
| Tracking | Status | |
|---|---|---|
| firefox35 | --- | affected |
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, testcase, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
|
508 bytes,
text/plain
|
Details | |
|
2.72 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 776fa9cf70cd (run with --fuzzing-safe --no-threads --ion-eager):
eval("(function() { " + "\
var o = {};\
o.watch('p', function() { });\
for (var i = 0; i < 10; \u5ede ++)\
o.p = 123;\
" + " })();");
|
Reporter | |
Comment 1•10 years ago
|
||
|
|
Reporter | |
Comment 2•10 years ago
|
||
Filed this one s-s because this assert can actually be security-sensitive, further triage is required to figure that out (just confirmed this on IRC).
status-firefox35:
--- → affected
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/a1b25f21fe08 user: Brian Hackett date: Tue Sep 02 13:47:34 2014 -0600 summary: Bug 1041688 - Add acquired properties analysis, r=jandem. This iteration took 0.598 seconds to run.
|
|
Reporter | |
Comment 4•10 years ago
|
||
Needinfo from Brian, based on comment 3 :)
Flags: needinfo?(bhackett1024)
|
Assignee | |
Comment 5•10 years ago
|
||
This use is OK, actually, as we only use the type when attaching an AddProp stub, in which case we will have made sure the type was instantiated properly beforehand. This code is pretty complicated though and bending over backwards to avoid instantiating the type here isn't worth it.
Assignee: nobody → bhackett1024
Attachment #8485041 -
Flags: review?(jdemooij)
Flags: needinfo?(bhackett1024)
|
|
Assignee | |
Updated•10 years ago
|
Group: core-security
|
||
Updated•10 years ago
|
Attachment #8485041 -
Flags: review?(jdemooij) → review+
|
|
Assignee | |
Comment 6•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/963cd8abf052
|
||
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/963cd8abf052
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla35
You need to log in
before you can comment on or make changes to this bug.
Description
•