Last Comment Bug 720380 - Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot()).isUndefined(), at jsscope.cpp:1056
: Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot(...
[sg:critical][qa!] js-triage-done
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
-- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
: Jason Orendorff [:jorendorff]
Depends on:
Blocks: langfuzz
  Show dependency treegraph
Reported: 2012-01-23 08:26 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:33 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---

patch (1.36 KB, patch)
2012-02-01 17:18 PST, Brian Hackett (:bhackett)
dvander: review+
bugzilla: approval‑mozilla‑aurora+
bugzilla: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Splinter Review

Description User image Christian Holler (:decoder) 2012-01-23 08:26:37 PST
The following test asserts on mozilla-central revision 42368fe44c8c (options -m -n):

function MyObject( value ) {
  this.toBoolean = (this[ this.Function = this ]++ );
new MyObject(true);
Comment 1 User image Brian Hackett (:bhackett) 2012-02-01 17:18:42 PST
Created attachment 593666 [details] [diff] [review]

When assignments to a property of 'this' are interleaved with other uses of 'this', information about all definite properties of objects created using that script need to be thrown out, as otherwise the definite slots found may be incorrect.  A premature return in AnalyzeNewScriptProperties when a pushed value is popped in multiple places prevented this from happening.
Comment 2 User image Brian Hackett (:bhackett) 2012-02-01 17:19:32 PST
Comment on attachment 593666 [details] [diff] [review]

[Approval Request Comment]
Regression caused by (bug #): TI
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, logic bug in rare situation
Comment 3 User image Brian Hackett (:bhackett) 2012-02-06 11:19:00 PST
Comment 4 User image Ed Morley [:emorley] 2012-02-07 12:14:12 PST
Comment 5 User image Johnathan Nightingale [:johnath] 2012-02-09 14:59:02 PST
Comment on attachment 593666 [details] [diff] [review]

Discussed in triage, approved, but changes to JS always scare us - is there any way to QA for potential bustage this might introduce? Can we get it landed soon to maximize beta coverage?
Comment 6 User image Brian Hackett (:bhackett) 2012-02-12 19:43:51 PST
I don't think there's any real risk for bustage here, per comment 2 --- the code patterns it affects will not show up in realistic code, e.g. this[x]++ in a constructor.
Comment 7 User image Gary Kwong [:gkw] [:nth10sd] 2012-02-29 11:33:26 PST
> User impact if declined: potential vulnerability

Setting sg:critical based on this.
Comment 8 User image Daniel Veditz [:dveditz] 2012-03-01 16:35:00 PST
This bug should land on ESR as well.
Comment 9 User image Lukas Blakk [:lsblakk] use ?needinfo 2012-03-01 16:36:10 PST
Comment on attachment 593666 [details] [diff] [review]

Please land this today in time for tomorrow's go-to-build.  See for details and ping me or email if there are any concerns about getting this landed in time.
Comment 10 User image Gary Kwong [:gkw] [:nth10sd] 2012-03-01 16:40:02 PST
Quickly landed on ESR to meet the March 2 build date:
Comment 11 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-05 15:16:12 PST
Verified fixed in Firefox 10.0.3esr.
Comment 12 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-07 14:17:52 PST
Verified fixed for Firefox 11.0b6 -- no assertion reproduced using test in comment 0 in js-shell built from today's mozilla-beta.
Comment 13 User image Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-04-04 15:34:28 PDT
Verified fixed for Firefox 12 using 12b4-based js-shell.
Comment 14 User image Christian Holler (:decoder) 2013-01-19 14:33:33 PST
Automatically extracted testcase for this bug was committed:

Note You need to log in before you can comment on or make changes to this bug.