"Assertion failure: proto,"

RESOLVED FIXED in mozilla8

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
4 years ago

People

(Reporter: gkw, Unassigned)

Tracking

({assertion, testcase})

Trunk
mozilla8
x86
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox7-)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(2 attachments, 1 obsolete attachment)

(Reporter)

Description

7 years ago
Created attachment 541389 [details]
stack

o1 = Float32Array().buffer
o2 = ArrayBuffer.prototype
o3 = Uint32Array().buffer
for (i = 0; i < 2; i++) {
    for (var x in o2) {
        o3.__defineGetter__("", function() {})
    }
    o2.__defineGetter__("", function() {})
    o1[
    x]
    o1.__proto__ = o3
}

asserts js debug shell on TM changeset 0428dbdf3d58 without any CLI arguments at Assertion failure: proto,
(Reporter)

Comment 1

7 years ago
Related to bug 666305 or bug 665355 ?
tracking-firefox7: --- → ?
Created attachment 543296 [details] [diff] [review]
Fix ArrayBuffer::lookupProperty

Patch header has detailed comment.
Attachment #543296 - Flags: review?(mrbkap)

Updated

7 years ago
Attachment #543296 - Flags: review?(mrbkap) → review+
(Reporter)

Comment 3

7 years ago
Comment on attachment 543296 [details] [diff] [review]
Fix ArrayBuffer::lookupProperty

This should be landed to prevent bit-rot.
Attachment #543296 - Flags: checkin?
(Reporter)

Updated

7 years ago
Attachment #543296 - Flags: checkin? → checkin?(nsm.nikhil)
Created attachment 543651 [details] [diff] [review]
Fix ArrayBuffer::lookupProperty
Attachment #543296 - Attachment is obsolete: true
Attachment #543651 - Flags: checkin?(gary)
Attachment #543296 - Flags: checkin?(nsm.nikhil)
(Reporter)

Comment 5

7 years ago
Comment on attachment 543651 [details] [diff] [review]
Fix ArrayBuffer::lookupProperty

Bringing forward r+.

Checked in to TM:

http://hg.mozilla.org/tracemonkey/rev/d8e967b8afc8
Attachment #543651 - Flags: review+
Attachment #543651 - Flags: checkin?(gary)
Attachment #543651 - Flags: checkin+
(Reporter)

Updated

7 years ago
Whiteboard: fixed-in-tracemonkey
Duplicate of this bug: 669389
cdleary-bot mozilla-central merge info:
http://hg.mozilla.org/mozilla-central/rev/d8e967b8afc8
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla8

Comment 8

7 years ago
This bug was nominated for tracking Firefox 7. Is the fix suitable for landing on Aurora? If so, please nominate the attachment with an approval request and an explanation of the value of the patch and the associated risk. Thanks.
(Reporter)

Comment 9

7 years ago
(In reply to comment #8)
> This bug was nominated for tracking Firefox 7. Is the fix suitable for
> landing on Aurora? If so, please nominate the attachment with an approval
> request and an explanation of the value of the patch and the associated
> risk. Thanks.

Brendan mentions this particular bug should be taken:

http://groups.google.com/group/mozilla.dev.tech.js-engine.internals/browse_thread/thread/626c85124555c0c9

From fuzzers' perspective, it fixes a bug that fuzzers find easily.

Nikil will have to nominate the attachment with a risk analysis.

Comment 10

7 years ago
we think this made the merge, please re-nominate if that's not the case.
tracking-firefox7: ? → -
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.