Closed
Bug 714600
Opened 13 years ago
Closed 13 years ago
Assertion failure: [infer failure] Missing type pushed 0: [0xf6c001c0], at jsinfer.cpp:349
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla10
People
(Reporter: decoder, Assigned: bhackett1024)
Details
(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa+:ashughes] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore])
Attachments
(1 file)
|
4.35 KB,
patch
|
dvander
:
review+
curtisk
:
approval-mozilla-aurora+
curtisk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision d98fbf3cbd71 (options -m -n):
var UBound = 0;
var actual = '';
var actualvalues = [];
var expect= '';
var expectedvalues = [];
function addThis() {
actualvalues[UBound] = actual;
expectedvalues[UBound] = expect;
UBound++;
}
function testLengthOnNonNativeProto() {
var o2 = {};
o2.__proto__ = [];
for (var j = 0; j < 5; (({})[addThis()]))
o2.length;
}
assertEq(testLengthOnNonNativeProto(), "no assertion");
S-s due to previous infer failures being security-relevant.
|
Assignee | |
Comment 1•13 years ago
|
||
TI bug involving mutable proto. When the prototype of an object is dynamically mutated, the object's type changes and we mark all type sets containing the object as unknown. If a GC occurs then all type sets in the script are purged, along with the original type of the object (if it is not live), forgetting the information that objects with that type have had their prototypes mutated. If we reanalyze the script after the GC, information about the prototype change has been lost and accesses on the initializer objects are treated as if they still had their original prototype. This fix marks initializer opcodes as JOF_TYPESET, so that persistent type sets retain information about initializers which have seen their prototypes mutated.
Assignee: general → bhackett1024
Attachment #585308 -
Flags: review?(dvander)
|
||
Updated•13 years ago
|
Attachment #585308 -
Flags: review?(dvander) → review+
|
||
Updated•13 years ago
|
Whiteboard: js-triage-needed → [sg:critical]
|
|
Assignee | |
Comment 2•13 years ago
|
||
|
|
Assignee | |
Comment 3•13 years ago
|
||
Comment on attachment 585308 [details] [diff] [review]
patch
[Approval Request Comment]
User impact if declined: Potential security exploit
Risk to taking this patch (and alternatives if risky): Minimal, this only has an effect when an absurd language corner case is being used (mutable prototypes).
Attachment #585308 -
Flags: approval-mozilla-beta?
Attachment #585308 -
Flags: approval-mozilla-aurora?
|
|
||
Updated•13 years ago
|
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox9:
--- → wontfix
tracking-firefox10:
--- → +
tracking-firefox11:
--- → +
|
|
||
Updated•13 years ago
|
Attachment #585308 -
Flags: approval-mozilla-beta?
Attachment #585308 -
Flags: approval-mozilla-beta+
Attachment #585308 -
Flags: approval-mozilla-aurora?
Attachment #585308 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 4•13 years ago
|
||
|
|
Assignee | |
Comment 5•13 years ago
|
||
|
|
Assignee | |
Updated•13 years ago
|
Target Milestone: --- → mozilla10
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
No assertion reproduced with the test in comment 0 with js-shell built from today's mozilla-beta.
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → fixed
tracking-firefox-esr10:
--- → 10+
|
|
||
Updated•13 years ago
|
Group: core-security
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
Any tips on how I can verify this? I tried loading the test in comment 0 using the 2012-01-01 linux-x64 jsshell but could not reproduce the assertion.
|
|
Reporter | |
Comment 8•13 years ago
|
||
(In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #7)
> Any tips on how I can verify this? I tried loading the test in comment 0
> using the 2012-01-01 linux-x64 jsshell but could not reproduce the assertion.
What branch are we talking about? :)
(In reply to Christian Holler (:decoder) from comment #8)
> (In reply to Anthony Hughes, Mozilla QA (irc: ashughes) from comment #7)
> > Any tips on how I can verify this? I tried loading the test in comment 0
> > using the 2012-01-01 linux-x64 jsshell but could not reproduce the assertion.
>
> What branch are we talking about? :)
I was trying to test this on mozilla-central so I know I can reproduce the original issue before verifying on Beta.
|
|
Reporter | |
Comment 10•13 years ago
|
||
Just testing something :)
Whiteboard: [sg:critical][qa+] → [sg:critical][qa+][jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta]
|
|
Reporter | |
Comment 11•13 years ago
|
||
JSBugMon: The testcase found in this bug does not reproduce on branch mozilla-aurora (tried revision 883536e3b5da).
JSBugMon: The testcase found in this bug does not reproduce on branch mozilla-beta (tried revision e4ed83ba6eb9).
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [sg:critical][qa+][jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta] → [sg:critical][qa+] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore]
|
|
Reporter | |
Comment 12•13 years ago
|
||
The last comment means the bot successfully reproduced the issue on mozilla-central with the specified revision in comment 0, but it was not able to reproduce the issue on beta or aurora tip.
|
||
Comment 13•13 years ago
|
||
Ubuntu 11.04 32bit:
I built jsshell for the latest beta release (12.0b4, rev 9bfe6330d055) and ran the test from comment #0: the test ran for several minutes until it went out of memory.
Is this expected?
|
|
Reporter | |
Comment 14•13 years ago
|
||
(In reply to Mihaela Velimiroviciu [QA] from comment #13)
>
> Is this expected?
Very likely, yes. My fuzz testcases usually don't have a "useful" behavior once they are fixed. Some just loop infinitely long, others go oom, again others just throw some exception, but all of that is fine usually. Note that on Linux, per comment 11, this has been verified fixed on aurora and beta with the given revisions :) Or do you need to verify for a specific revision?
|
|
||
Comment 15•13 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #14)
Verification on any Firefox 12.0 beta revision is ok.
Changing the flag status-firefox12 to verified.
Thank you!
Whiteboard: [sg:critical][qa+] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore] → [sg:critical][qa!] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore]
|
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical][qa!] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore] → [sg:critical][qa+] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore]
|
||
Comment 16•13 years ago
|
||
Decoder, it would be nice if you tried to remove/shorten the iloops before posting. It makes bisecting and verifying easier :)
|
||
Comment 17•13 years ago
|
||
Verified fixed in Firefox 10 and ESR:10.
Whiteboard: [sg:critical][qa+] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore] → [sg:critical][qa+:ashughes] [jsbugmon:verify-branch=mozilla-aurora,verify-branch=mozilla-beta,ignore]
|
|
Reporter | |
Comment 18•12 years ago
|
||
Even without iloop, this test takes very long to complete, not taking into the testsuite.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•