Last Comment Bug 686296 - Assertion failure: obj->isExtensible(), at jsobj.cpp:4649
: Assertion failure: obj->isExtensible(), at jsobj.cpp:4649
Status: RESOLVED FIXED
js-triage-needed
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla12
Assigned To: Tom Schuster [:evilpie]
:
Mentors:
: 698581 (view as bug list)
Depends on: 728722
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2011-09-12 06:26 PDT by Christian Holler (:decoder)
Modified: 2013-01-14 08:07 PST (History)
8 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
affected


Attachments
fix (1.42 KB, patch)
2012-01-14 12:08 PST, Tom Schuster [:evilpie]
jorendorff: review+
Details | Diff | Review

Description Christian Holler (:decoder) 2011-09-12 06:26:30 PDT
The following test asserts on mozilla-central revision 569a45bfb71c (options -m -n -a):


(function () {
  assertThrows = function assertThrows(code, type_opt, cause_opt) {
        eval(code);
  };
})();
var o = Object.preventExtensions(new ArrayBuffer());
assertThrows("o.__proto__ = {}");
Comment 1 Tom Schuster [:evilpie] 2012-01-14 12:08:35 PST
Created attachment 588675 [details] [diff] [review]
fix
Comment 2 Tom Schuster [:evilpie] 2012-01-14 12:10:51 PST
*** Bug 698581 has been marked as a duplicate of this bug. ***
Comment 3 Jason Orendorff [:jorendorff] 2012-01-20 07:05:13 PST
Comment on attachment 588675 [details] [diff] [review]
fix

The test doesn't work.

Try this instead:

load(libdir + "asserts.js");
var o = Object.preventExtensions(new ArrayBuffer);
assertThrowsInstanceOf(function () { o.__proto__ = {}; }, TypeError);
Comment 4 Tom Schuster [:evilpie] 2012-01-21 04:03:47 PST
Dammit, missed that with the try .. catch. Cool that we have a library function for that.
Comment 6 Ed Morley [:emorley] 2012-01-22 12:31:31 PST
https://hg.mozilla.org/mozilla-central/rev/8a915ca62e05
Comment 7 Gary Kwong [:gkw] [:nth10sd] 2012-04-24 17:45:28 PDT
Comment on attachment 588675 [details] [diff] [review]
fix

[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: jsfunfuzz and/or Langfuzz finds this (and other variants) really easily, in a short period of time after being run.
User impact if declined: Open sourcing the js fuzzers might lead to more bug duplicates of this one.
Fix Landed on Version: 12

See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.

Tom / jorendorff, perhaps you'd like to answer these portions?

Risk to taking this patch (and alternatives if risky): 
String changes made by this patch:
Comment 8 Lukas Blakk [:lsblakk] use ?needinfo 2012-04-25 12:58:47 PDT
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #7)

> consideration: jsfunfuzz and/or Langfuzz finds this (and other variants)
> really easily, in a short period of time after being run.
> User impact if declined: Open sourcing the js fuzzers might lead to more bug
> duplicates of this one.

Can you explain to me what it means when these are found? Does this fix a test? I'm not 100% sure why this is needed on ESR.
Comment 9 Gary Kwong [:gkw] [:nth10sd] 2012-04-25 13:01:52 PDT
Comment on attachment 588675 [details] [diff] [review]
fix

On further analysis, this doesn't occur frequently enough similar to bug 697279 after being put on suppression.
Comment 10 Christian Holler (:decoder) 2013-01-14 08:07:23 PST
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug686296.js.

Note You need to log in before you can comment on or make changes to this bug.