Beginning on October 25th, 2016, Persona will no longer be an option for authentication on BMO. For more details see Persona Deprecated.
Last Comment Bug 720380 - Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot()).isUndefined(), at jsscope.cpp:1056
: Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot(...
[sg:critical][qa!] js-triage-done
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-01-23 08:26 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:33 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.36 KB, patch)
2012-02-01 17:18 PST, Brian Hackett (:bhackett)
dvander: review+
bugzilla: approval‑mozilla‑aurora+
bugzilla: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Splinter Review

Description Christian Holler (:decoder) 2012-01-23 08:26:37 PST
The following test asserts on mozilla-central revision 42368fe44c8c (options -m -n):

function MyObject( value ) {
  this.toBoolean = (this[ this.Function = this ]++ );
new MyObject(true);
Comment 1 Brian Hackett (:bhackett) 2012-02-01 17:18:42 PST
Created attachment 593666 [details] [diff] [review]

When assignments to a property of 'this' are interleaved with other uses of 'this', information about all definite properties of objects created using that script need to be thrown out, as otherwise the definite slots found may be incorrect.  A premature return in AnalyzeNewScriptProperties when a pushed value is popped in multiple places prevented this from happening.
Comment 2 Brian Hackett (:bhackett) 2012-02-01 17:19:32 PST
Comment on attachment 593666 [details] [diff] [review]

[Approval Request Comment]
Regression caused by (bug #): TI
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, logic bug in rare situation
Comment 3 Brian Hackett (:bhackett) 2012-02-06 11:19:00 PST
Comment 4 Ed Morley [:emorley] 2012-02-07 12:14:12 PST
Comment 5 Johnathan Nightingale [:johnath] 2012-02-09 14:59:02 PST
Comment on attachment 593666 [details] [diff] [review]

Discussed in triage, approved, but changes to JS always scare us - is there any way to QA for potential bustage this might introduce? Can we get it landed soon to maximize beta coverage?
Comment 6 Brian Hackett (:bhackett) 2012-02-12 19:43:51 PST
I don't think there's any real risk for bustage here, per comment 2 --- the code patterns it affects will not show up in realistic code, e.g. this[x]++ in a constructor.
Comment 7 Gary Kwong [:gkw] [:nth10sd] 2012-02-29 11:33:26 PST
> User impact if declined: potential vulnerability

Setting sg:critical based on this.
Comment 8 Daniel Veditz [:dveditz] 2012-03-01 16:35:00 PST
This bug should land on ESR as well.
Comment 9 Lukas Blakk [:lsblakk] use ?needinfo 2012-03-01 16:36:10 PST
Comment on attachment 593666 [details] [diff] [review]

Please land this today in time for tomorrow's go-to-build.  See for details and ping me or email if there are any concerns about getting this landed in time.
Comment 10 Gary Kwong [:gkw] [:nth10sd] 2012-03-01 16:40:02 PST
Quickly landed on ESR to meet the March 2 build date:
Comment 11 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-05 15:16:12 PST
Verified fixed in Firefox 10.0.3esr.
Comment 12 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-07 14:17:52 PST
Verified fixed for Firefox 11.0b6 -- no assertion reproduced using test in comment 0 in js-shell built from today's mozilla-beta.
Comment 13 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-04-04 15:34:28 PDT
Verified fixed for Firefox 12 using 12b4-based js-shell.
Comment 14 Christian Holler (:decoder) 2013-01-19 14:33:33 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.