Closed Bug 1308022 Opened 8 years ago Closed 8 years ago

Assertion failure: [infer failure] Missing type in object [String * 0x7ffff06769d0] length: int, at js/src/vm/TypeInference.cpp:255 with ES6 Class

Categories

(Core :: JavaScript Engine, defect)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED DUPLICATE of bug 1299098
Tracking Status
firefox52 --- affected

People

(Reporter: decoder, Unassigned)

References

Details

(5 keywords, Whiteboard: [jsbugmon:update])

The following testcase crashes on mozilla-central revision ea104eeb14cc (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off --ion-eager): function test(a) { for (var i = 0; i < a.length; i++) {} } test(new class x extends String {}({} < 1)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x0000000000435466 in TypeFailure (cx=cx@entry=0x7ffff695f000, fmt=0x10be2c0 "Missing type in object %s %s: %s", fmt=0x10be2c0 "Missing type in object %s %s: %s") at js/src/vm/TypeInference.cpp:256 #0 0x0000000000435466 in TypeFailure (cx=cx@entry=0x7ffff695f000, fmt=0x10be2c0 "Missing type in object %s %s: %s", fmt=0x10be2c0 "Missing type in object %s %s: %s") at js/src/vm/TypeInference.cpp:256 #1 0x0000000000bfd9f6 in js::ObjectGroupHasProperty (cx=cx@entry=0x7ffff695f000, group=0x7ffff06769d0, id=..., value=...) at js/src/vm/TypeInference.cpp:305 #2 0x0000000000b1e1dc in GetExistingProperty<(js::AllowGC)1> (cx=0x7ffff695f000, receiver=..., obj=..., shape=..., vp=...) at js/src/vm/NativeObject.cpp:1775 #3 0x0000000000b1ed0e in NativeGetPropertyInline<(js::AllowGC)1> (cx=0x7ffff695f000, obj=..., receiver=..., id=..., nameLookup=nameLookup@entry=NotNameLookup, vp=...) at js/src/vm/NativeObject.cpp:2032 #4 0x0000000000b1f340 in js::NativeGetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.cpp:2066 #5 0x00000000006048d4 in js::GetProperty (cx=<optimized out>, obj=..., receiver=..., id=..., vp=...) at js/src/vm/NativeObject.h:1497 #6 0x0000000000b20115 in js::GetProperty (vp=..., name=<optimized out>, receiver=..., obj=..., cx=0x7ffff695f000) at js/src/jsobj.h:846 #7 js::GetProperty (cx=cx@entry=0x7ffff695f000, v=..., name=..., name@entry=..., vp=..., vp@entry=...) at js/src/vm/Interpreter.cpp:4250 #8 0x0000000000821fd9 in js::jit::ComputeGetPropResult (cx=cx@entry=0x7ffff695f000, frame=<optimized out>, op=op@entry=JSOP_LENGTH, name=..., name@entry=..., val=..., val@entry=..., res=..., res@entry=...) at js/src/jit/SharedIC.cpp:2670 #9 0x00000000008389fb in js::jit::DoGetPropFallback (cx=0x7ffff695f000, payload=<optimized out>, stub_=<optimized out>, val=..., res=...) at js/src/jit/SharedIC.cpp:2750 #10 0x00007ffff7e3f946 in ?? () [...] #24 0x0000000000000000 in ?? () rax 0x0 0 rbx 0x7fffffffbac0 140737488337600 rcx 0x7ffff6c28a2d 140737333332525 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffbfa0 140737488338848 rsp 0x7fffffffb6a0 140737488336544 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4740 140737354024768 r10 0x0 0 r11 0x0 0 r12 0x7fffffffb6c0 140737488336576 r13 0x7ffff695f000 140737330409472 r14 0x7fffffffc860 140737488341088 r15 0x7ffff695f000 140737330409472 rip 0x435466 <TypeFailure(JSContext*, char const*, char const*, ...)+336> => 0x435466 <TypeFailure(JSContext*, char const*, char const*, ...)+336>: movl $0x0,0x0 0x435471 <TypeFailure(JSContext*, char const*, char const*, ...)+347>: ud2 Marking s-s because this is an infer failure and these used to be sec-high or critical.
Jon, could you look at this? I can't tell how bad this assert is. Thanks.
Flags: needinfo?(jcoppeard)
Eric, I know you're probably really busy as it's your last week, but... I have no idea about this.
Flags: needinfo?(jcoppeard) → needinfo?(efaustbmo)
This looks similar to another bug involving RegExp subclassing. I suspect the TI interactions are just wrong. I'll look into it.
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: === Treeherder Build Bisection Results by autoBisect === The "good" changeset has the timestamp "20151203221315" and the hash "cb2462db0b8653b4a42131a4d2a8ea92c534d4fb". The "bad" changeset has the timestamp "20151203223718" and the hash "ca6084eaafbfb041a9bc081228cdb8c7e879eb38". Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=cb2462db0b8653b4a42131a4d2a8ea92c534d4fb&tochange=ca6084eaafbfb041a9bc081228cdb8c7e879eb38
Jeff: can you take a look since Eric's gone and you reviewed the likely regressor (bug 1055472, and bug 1230337 in the same check-in)?
Blocks: 1055472
Flags: needinfo?(jwalden+bmo)
Keywords: sec-high
This is probably similar to bug 1299098. I'll take a look at these 2 bugs today.
Fixed by the patch in bug 1299098.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(jwalden+bmo)
Flags: needinfo?(efaustbmo)
Resolution: --- → DUPLICATE
Group: javascript-core-security
You need to log in before you can comment on or make changes to this bug.