Closed Bug 1308022 Opened 4 years ago Closed 4 years ago

Assertion failure: [infer failure] Missing type in object [String * 0x7ffff06769d0] length: int, at js/src/vm/TypeInference.cpp:255 with ES6 Class

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1299098
Tracking Status
firefox52 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

The following testcase crashes on mozilla-central revision ea104eeb14cc (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager):

function test(a) {
    for (var i = 0; i < a.length; i++) {}
}
test(new class x extends String {}({} < 1));



Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000435466 in TypeFailure (cx=cx@entry=0x7ffff695f000, fmt=0x10be2c0 "Missing type in object %s %s: %s", fmt=0x10be2c0 "Missing type in object %s %s: %s") at js/src/vm/TypeInference.cpp:256
#0  0x0000000000435466 in TypeFailure (cx=cx@entry=0x7ffff695f000, fmt=0x10be2c0 "Missing type in object %s %s: %s", fmt=0x10be2c0 "Missing type in object %s %s: %s") at js/src/vm/TypeInference.cpp:256
#1  0x0000000000bfd9f6 in js::ObjectGroupHasProperty (cx=cx@entry=0x7ffff695f000, group=0x7ffff06769d0, id=..., value=...) at js/src/vm/TypeInference.cpp:305
#2  0x0000000000b1e1dc in GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff695f000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1775
#3  0x0000000000b1ed0e in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2032
#4  0x0000000000b1f340 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2066
#5  0x00000000006048d4 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1497
#6  0x0000000000b20115 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:846
#7  js::GetProperty (cx=cx@entry=0x7ffff695f000, v=..., name=..., name@entry=..., vp=..., vp@entry=...) at js/src/vm/Interpreter.cpp:4250
#8  0x0000000000821fd9 in js::jit::ComputeGetPropResult (cx=cx@entry=0x7ffff695f000, frame=<optimized out>, op=op@entry=JSOP_LENGTH, name=..., name@entry=..., val=..., val@entry=..., res=..., res@entry=...) at js/src/jit/SharedIC.cpp:2670
#9  0x00000000008389fb in js::jit::DoGetPropFallback (cx=0x7ffff695f000, payload=<optimized out>, stub_=<optimized out>, val=..., res=...) at js/src/jit/SharedIC.cpp:2750
#10 0x00007ffff7e3f946 in ?? ()
[...]
#24 0x0000000000000000 in ?? ()
rax	0x0	0
rbx	0x7fffffffbac0	140737488337600
rcx	0x7ffff6c28a2d	140737333332525
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffbfa0	140737488338848
rsp	0x7fffffffb6a0	140737488336544
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4740	140737354024768
r10	0x0	0
r11	0x0	0
r12	0x7fffffffb6c0	140737488336576
r13	0x7ffff695f000	140737330409472
r14	0x7fffffffc860	140737488341088
r15	0x7ffff695f000	140737330409472
rip	0x435466 <TypeFailure(JSContext*, char const*, char const*, ...)+336>
=> 0x435466 <TypeFailure(JSContext*, char const*, char const*, ...)+336>:	movl   $0x0,0x0
   0x435471 <TypeFailure(JSContext*, char const*, char const*, ...)+347>:	ud2    


Marking s-s because this is an infer failure and these used to be sec-high or critical.
Jon, could you look at this? I can't tell how bad this assert is. Thanks.
Flags: needinfo?(jcoppeard)
Eric, I know you're probably really busy as it's your last week, but... I have no idea about this.
Flags: needinfo?(jcoppeard) → needinfo?(efaustbmo)
This looks similar to another bug involving RegExp subclassing. I suspect the TI interactions are just wrong. I'll look into it.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result:
=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20151203221315" and the hash "cb2462db0b8653b4a42131a4d2a8ea92c534d4fb".
The "bad" changeset has the timestamp "20151203223718" and the hash "ca6084eaafbfb041a9bc081228cdb8c7e879eb38".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=cb2462db0b8653b4a42131a4d2a8ea92c534d4fb&tochange=ca6084eaafbfb041a9bc081228cdb8c7e879eb38
Jeff: can you take a look since Eric's gone and you reviewed the likely regressor (bug 1055472, and bug 1230337 in the same check-in)?
Blocks: 1055472
Flags: needinfo?(jwalden+bmo)
Keywords: sec-high
This is probably similar to bug 1299098. I'll take a look at these 2 bugs today.
Fixed by the patch in bug 1299098.
Status: NEW → RESOLVED
Closed: 4 years ago
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
Duplicate of bug: 1299098
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.