Closed
Bug 686296
Opened 13 years ago
Closed 12 years ago
Assertion failure: obj->isExtensible(), at jsobj.cpp:4649
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla12
| Tracking | Status | |
|---|---|---|
| firefox-esr10 | --- | wontfix |
People
(Reporter: decoder, Assigned: evilpie)
References
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-needed)
Attachments
(1 file)
|
1.42 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 569a45bfb71c (options -m -n -a):
(function () {
assertThrows = function assertThrows(code, type_opt, cause_opt) {
eval(code);
};
})();
var o = Object.preventExtensions(new ArrayBuffer());
assertThrows("o.__proto__ = {}");
|
||
Updated•13 years ago
|
Whiteboard: js-triage-needed
|
Assignee | |
Comment 1•12 years ago
|
||
Assignee: general → evilpies
Status: NEW → ASSIGNED
|
|
Assignee | |
Updated•12 years ago
|
Attachment #588675 -
Flags: review?(jorendorff)
|
||
Comment 3•12 years ago
|
||
Comment on attachment 588675 [details] [diff] [review] fix The test doesn't work. Try this instead: load(libdir + "asserts.js"); var o = Object.preventExtensions(new ArrayBuffer); assertThrowsInstanceOf(function () { o.__proto__ = {}; }, TypeError);
Attachment #588675 -
Flags: review?(jorendorff) → review+
|
|
Assignee | |
Comment 4•12 years ago
|
||
Dammit, missed that with the try .. catch. Cool that we have a library function for that.
|
|
Assignee | |
Comment 5•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/8a915ca62e05
|
||
Comment 6•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/8a915ca62e05
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
|
||
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
tracking-firefox-esr10:
--- → ?
|
|
||
Comment 7•12 years ago
|
||
Comment on attachment 588675 [details] [diff] [review] fix [Approval Request Comment] If this is not a sec:{high,crit} bug, please state case for ESR consideration: jsfunfuzz and/or Langfuzz finds this (and other variants) really easily, in a short period of time after being run. User impact if declined: Open sourcing the js fuzzers might lead to more bug duplicates of this one. Fix Landed on Version: 12 See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info. Tom / jorendorff, perhaps you'd like to answer these portions? Risk to taking this patch (and alternatives if risky): String changes made by this patch:
Attachment #588675 -
Flags: approval-mozilla-esr10?
|
||
Comment 8•12 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #7) > consideration: jsfunfuzz and/or Langfuzz finds this (and other variants) > really easily, in a short period of time after being run. > User impact if declined: Open sourcing the js fuzzers might lead to more bug > duplicates of this one. Can you explain to me what it means when these are found? Does this fix a test? I'm not 100% sure why this is needed on ESR.
|
|
||
Comment 9•12 years ago
|
||
Comment on attachment 588675 [details] [diff] [review] fix On further analysis, this doesn't occur frequently enough similar to bug 697279 after being put on suppression.
Attachment #588675 -
Flags: approval-mozilla-esr10?
|
||
Updated•12 years ago
|
tracking-firefox-esr10:
? → ---
|
Reporter | |
Comment 10•11 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug686296.js.
Flags: in-testsuite+
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•