Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot()).isUndefined(), at jsscope.cpp:1056

VERIFIED FIXED in Firefox 11

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
5 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, testcase})

Trunk
mozilla13
x86_64
Linux
assertion, testcase
Points:
---
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox11 verified, firefox12 verified, firefox-esr1011+ verified, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical][qa!] js-triage-done)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test asserts on mozilla-central revision 42368fe44c8c (options -m -n):


function MyObject( value ) {
  this.toBoolean = (this[ this.Function = this ]++ );
}
new MyObject(true);
(Assignee)

Updated

6 years ago
Group: core-security
(Assignee)

Comment 1

6 years ago
Created attachment 593666 [details] [diff] [review]
patch

When assignments to a property of 'this' are interleaved with other uses of 'this', information about all definite properties of objects created using that script need to be thrown out, as otherwise the definite slots found may be incorrect.  A premature return in AnalyzeNewScriptProperties when a pushed value is popped in multiple places prevented this from happening.
Assignee: general → bhackett1024
Attachment #593666 - Flags: review?(dvander)
(Assignee)

Comment 2

6 years ago
Comment on attachment 593666 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): TI
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, logic bug in rare situation
Attachment #593666 - Flags: approval-mozilla-beta?
Attachment #593666 - Flags: approval-mozilla-aurora?

Updated

6 years ago
Whiteboard: js-triage-needed → js-triage-needed [sg:?]
Attachment #593666 - Flags: review?(dvander) → review+
(Assignee)

Comment 3

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb324931ea22

Updated

6 years ago
Target Milestone: --- → mozilla13

Comment 4

6 years ago
https://hg.mozilla.org/mozilla-central/rev/cb324931ea22
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Comment on attachment 593666 [details] [diff] [review]
patch

Discussed in triage, approved, but changes to JS always scare us - is there any way to QA for potential bustage this might introduce? Can we get it landed soon to maximize beta coverage?
Attachment #593666 - Flags: approval-mozilla-beta?
Attachment #593666 - Flags: approval-mozilla-beta+
Attachment #593666 - Flags: approval-mozilla-aurora?
Attachment #593666 - Flags: approval-mozilla-aurora+
(Assignee)

Comment 6

6 years ago
I don't think there's any real risk for bustage here, per comment 2 --- the code patterns it affects will not show up in realistic code, e.g. this[x]++ in a constructor.

https://hg.mozilla.org/releases/mozilla-aurora/rev/6b8c57dc160a
https://hg.mozilla.org/releases/mozilla-beta/rev/9f4a06e3fdb0
status-firefox11: --- → fixed
status-firefox12: --- → fixed
> User impact if declined: potential vulnerability

Setting sg:critical based on this.
Whiteboard: js-triage-needed [sg:?] → [sg:critical] js-triage-done
This bug should land on ESR as well.
status1.9.2: --- → unaffected
status-firefox-esr10: --- → affected
tracking-firefox-esr10: --- → 11+
Comment on attachment 593666 [details] [diff] [review]
patch

Please land this today in time for tomorrow's go-to-build.  See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details and ping me or email release-mgmt@mozilla.com if there are any concerns about getting this landed in time.
Attachment #593666 - Flags: approval-mozilla-esr10+
Quickly landed on ESR to meet the March 2 build date:

http://hg.mozilla.org/releases/mozilla-esr10/rev/081b50b02609
status-firefox-esr10: affected → fixed
Verified fixed in Firefox 10.0.3esr.
status-firefox-esr10: fixed → verified
Whiteboard: [sg:critical] js-triage-done → [sg:critical][qa+] js-triage-done
Verified fixed for Firefox 11.0b6 -- no assertion reproduced using test in comment 0 in js-shell built from today's mozilla-beta.
status-firefox11: fixed → verified
(Reporter)

Updated

6 years ago
Status: RESOLVED → VERIFIED
Verified fixed for Firefox 12 using 12b4-based js-shell.
status-firefox12: fixed → verified
Whiteboard: [sg:critical][qa+] js-triage-done → [sg:critical][qa!] js-triage-done
Group: core-security
(Reporter)

Comment 14

5 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.