Closed
Bug 686296
Opened 13 years ago
Closed 13 years ago
Assertion failure: obj->isExtensible(), at jsobj.cpp:4649
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla12
| Tracking | Status | |
|---|---|---|
| firefox-esr10 | --- | wontfix |
People
(Reporter: decoder, Assigned: evilpies)
References
Details
(Keywords: assertion, testcase, Whiteboard: js-triage-needed)
Attachments
(1 file)
|
1.42 KB,
patch
|
jorendorff
:
review+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 569a45bfb71c (options -m -n -a):
(function () {
assertThrows = function assertThrows(code, type_opt, cause_opt) {
eval(code);
};
})();
var o = Object.preventExtensions(new ArrayBuffer());
assertThrows("o.__proto__ = {}");
|
||
Updated•13 years ago
|
Whiteboard: js-triage-needed
Attachment #588675 -
Flags: review?(jorendorff)
|
||
Comment 3•13 years ago
|
||
Comment on attachment 588675 [details] [diff] [review]
fix
The test doesn't work.
Try this instead:
load(libdir + "asserts.js");
var o = Object.preventExtensions(new ArrayBuffer);
assertThrowsInstanceOf(function () { o.__proto__ = {}; }, TypeError);
Attachment #588675 -
Flags: review?(jorendorff) → review+
Dammit, missed that with the try .. catch. Cool that we have a library function for that.
|
||
Comment 6•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla12
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
tracking-firefox-esr10:
--- → ?
|
|
||
Comment 7•13 years ago
|
||
Comment on attachment 588675 [details] [diff] [review]
fix
[Approval Request Comment]
If this is not a sec:{high,crit} bug, please state case for ESR consideration: jsfunfuzz and/or Langfuzz finds this (and other variants) really easily, in a short period of time after being run.
User impact if declined: Open sourcing the js fuzzers might lead to more bug duplicates of this one.
Fix Landed on Version: 12
See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for more info.
Tom / jorendorff, perhaps you'd like to answer these portions?
Risk to taking this patch (and alternatives if risky):
String changes made by this patch:
Attachment #588675 -
Flags: approval-mozilla-esr10?
|
||
Comment 8•13 years ago
|
||
(In reply to Gary Kwong [:gkw, :nth10sd] from comment #7)
> consideration: jsfunfuzz and/or Langfuzz finds this (and other variants)
> really easily, in a short period of time after being run.
> User impact if declined: Open sourcing the js fuzzers might lead to more bug
> duplicates of this one.
Can you explain to me what it means when these are found? Does this fix a test? I'm not 100% sure why this is needed on ESR.
|
|
||
Comment 9•13 years ago
|
||
Comment on attachment 588675 [details] [diff] [review]
fix
On further analysis, this doesn't occur frequently enough similar to bug 697279 after being put on suppression.
Attachment #588675 -
Flags: approval-mozilla-esr10?
|
||
Updated•13 years ago
|
tracking-firefox-esr10:
? → ---
|
Reporter | |
Comment 10•12 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug686296.js.
Flags: in-testsuite+
|
||
Updated•5 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•