Assertion failure: obj->isExtensible(), at jsobj.cpp:4649

RESOLVED FIXED in mozilla12

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: evilpie)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla12
x86_64
Linux
assertion, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr10 affected)

Details

(Whiteboard: js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision 569a45bfb71c (options -m -n -a):


(function () {
  assertThrows = function assertThrows(code, type_opt, cause_opt) {
        eval(code);
  };
})();
var o = Object.preventExtensions(new ArrayBuffer());
assertThrows("o.__proto__ = {}");
Whiteboard: js-triage-needed
(Assignee)

Comment 1

6 years ago
Created attachment 588675 [details] [diff] [review]
fix
Assignee: general → evilpies
Status: NEW → ASSIGNED
(Assignee)

Updated

6 years ago
Duplicate of this bug: 698581
(Assignee)

Updated

6 years ago
Attachment #588675 - Flags: review?(jorendorff)
Comment on attachment 588675 [details] [diff] [review]
fix

The test doesn't work.

Try this instead:

load(libdir + "asserts.js");
var o = Object.preventExtensions(new ArrayBuffer);
assertThrowsInstanceOf(function () { o.__proto__ = {}; }, TypeError);
Attachment #588675 - Flags: review?(jorendorff) → review+
(Assignee)

Comment 4

6 years ago
Dammit, missed that with the try .. catch. Cool that we have a library function for that.
(Assignee)

Comment 5

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/8a915ca62e05

Comment 6

6 years ago
https://hg.mozilla.org/mozilla-central/rev/8a915ca62e05
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
Depends on: 728722
status-firefox-esr10: --- → affected
tracking-firefox-esr10: --- → ?
Comment on attachment 588675 [details] [diff] [review]
fix

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: jsfunfuzz and/or Langfuzz finds this (and other variants) really easily, in a short period of time after being run.
User impact if declined: Open sourcing the js fuzzers might lead to more bug duplicates of this one.
Fix Landed on Version: 12

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Tom / jorendorff, perhaps you'd like to answer these portions?

Risk to taking this patch (and alternatives if risky): 
String changes made by this patch:
Attachment #588675 - Flags: approval-mozilla-esr10?
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #7)

> consideration: jsfunfuzz and/or Langfuzz finds this (and other variants)
> really easily, in a short period of time after being run.
> User impact if declined: Open sourcing the js fuzzers might lead to more bug
> duplicates of this one.

Can you explain to me what it means when these are found? Does this fix a test? I'm not 100% sure why this is needed on ESR.
Comment on attachment 588675 [details] [diff] [review]
fix

On further analysis, this doesn't occur frequently enough similar to bug 697279 after being put on suppression.
Attachment #588675 - Flags: approval-mozilla-esr10?

Updated

5 years ago
tracking-firefox-esr10: ? → ---
(Reporter)

Comment 10

5 years ago
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug686296.js.
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.