Closed Bug 720380 Opened 8 years ago Closed 8 years ago

Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot()).isUndefined(), at jsscope.cpp:1056

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla13
Tracking Status
firefox11 --- verified
firefox12 --- verified
firefox-esr10 11+ verified
status1.9.2 --- unaffected

People

(Reporter: decoder, Assigned: bhackett)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, testcase, Whiteboard: [sg:critical][qa!] js-triage-done)

Attachments

(1 file)

The following test asserts on mozilla-central revision 42368fe44c8c (options -m -n):


function MyObject( value ) {
  this.toBoolean = (this[ this.Function = this ]++ );
}
new MyObject(true);
Group: core-security
Attached patch patchSplinter Review
When assignments to a property of 'this' are interleaved with other uses of 'this', information about all definite properties of objects created using that script need to be thrown out, as otherwise the definite slots found may be incorrect.  A premature return in AnalyzeNewScriptProperties when a pushed value is popped in multiple places prevented this from happening.
Assignee: general → bhackett1024
Attachment #593666 - Flags: review?(dvander)
Comment on attachment 593666 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): TI
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, logic bug in rare situation
Attachment #593666 - Flags: approval-mozilla-beta?
Attachment #593666 - Flags: approval-mozilla-aurora?
Whiteboard: js-triage-needed → js-triage-needed [sg:?]
Attachment #593666 - Flags: review?(dvander) → review+
Target Milestone: --- → mozilla13
https://hg.mozilla.org/mozilla-central/rev/cb324931ea22
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Comment on attachment 593666 [details] [diff] [review]
patch

Discussed in triage, approved, but changes to JS always scare us - is there any way to QA for potential bustage this might introduce? Can we get it landed soon to maximize beta coverage?
Attachment #593666 - Flags: approval-mozilla-beta?
Attachment #593666 - Flags: approval-mozilla-beta+
Attachment #593666 - Flags: approval-mozilla-aurora?
Attachment #593666 - Flags: approval-mozilla-aurora+
I don't think there's any real risk for bustage here, per comment 2 --- the code patterns it affects will not show up in realistic code, e.g. this[x]++ in a constructor.

https://hg.mozilla.org/releases/mozilla-aurora/rev/6b8c57dc160a
https://hg.mozilla.org/releases/mozilla-beta/rev/9f4a06e3fdb0
> User impact if declined: potential vulnerability

Setting sg:critical based on this.
Whiteboard: js-triage-needed [sg:?] → [sg:critical] js-triage-done
This bug should land on ESR as well.
Comment on attachment 593666 [details] [diff] [review]
patch

Please land this today in time for tomorrow's go-to-build.  See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details and ping me or email release-mgmt@mozilla.com if there are any concerns about getting this landed in time.
Attachment #593666 - Flags: approval-mozilla-esr10+
Verified fixed in Firefox 10.0.3esr.
Whiteboard: [sg:critical] js-triage-done → [sg:critical][qa+] js-triage-done
Verified fixed for Firefox 11.0b6 -- no assertion reproduced using test in comment 0 in js-shell built from today's mozilla-beta.
Status: RESOLVED → VERIFIED
Verified fixed for Firefox 12 using 12b4-based js-shell.
Whiteboard: [sg:critical][qa+] js-triage-done → [sg:critical][qa!] js-triage-done
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.