720380 - Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot()).isUndefined(), at jsscope.cpp:1056

Status: VERIFIED FIXED

(Core :: JavaScript Engine, defect)

Description

[Christian Holler (:decoder)]

The following test asserts on mozilla-central revision 42368fe44c8c (options -m -n):


function MyObject( value ) {
  this.toBoolean = (this[ this.Function = this ]++ );
}
new MyObject(true);

Comment 1

[Brian Hackett [Laid off!]]

Attachment: patch

When assignments to a property of 'this' are interleaved with other uses of 'this', information about all definite properties of objects created using that script need to be thrown out, as otherwise the definite slots found may be incorrect.  A premature return in AnalyzeNewScriptProperties when a pushed value is popped in multiple places prevented this from happening.

Comment 2

[Brian Hackett [Laid off!]]

Comment on attachment 593666 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): TI
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, logic bug in rare situation

Comment 3

[Brian Hackett [Laid off!]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/cb324931ea22

Comment 4

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/cb324931ea22

Comment 5

[Johnathan Nightingale [:johnath]]

Comment on attachment 593666 [details] [diff] [review]
patch

Discussed in triage, approved, but changes to JS always scare us - is there any way to QA for potential bustage this might introduce? Can we get it landed soon to maximize beta coverage?

Comment 6

[Brian Hackett [Laid off!]]

I don't think there's any real risk for bustage here, per comment 2 --- the code patterns it affects will not show up in realistic code, e.g. this[x]++ in a constructor.

https://hg.mozilla.org/releases/mozilla-aurora/rev/6b8c57dc160a
https://hg.mozilla.org/releases/mozilla-beta/rev/9f4a06e3fdb0

Comment 7

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

> User impact if declined: potential vulnerability

Setting sg:critical based on this.

Comment 8

[Daniel Veditz [:dveditz]]

This bug should land on ESR as well.

Comment 9

[Lukas Blakk [:lsblakk] use ?needinfo]

Comment on attachment 593666 [details] [diff] [review]
patch

Please land this today in time for tomorrow's go-to-build.  See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details and ping me or email release-mgmt@mozilla.com if there are any concerns about getting this landed in time.

Comment 10

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Quickly landed on ESR to meet the March 2 build date:

http://hg.mozilla.org/releases/mozilla-esr10/rev/081b50b02609

Comment 11

[u279076]

Verified fixed in Firefox 10.0.3esr.

Comment 12

[u279076]

Verified fixed for Firefox 11.0b6 -- no assertion reproduced using test in comment 0 in js-shell built from today's mozilla-beta.

Comment 13

[u279076]

Verified fixed for Firefox 12 using 12b4-based js-shell.

Comment 14

[Christian Holler (:decoder)]

Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929