Last Comment Bug 720380 - Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot()).isUndefined(), at jsscope.cpp:1056
: Assertion failure: lastProperty()->hasSlot() && getSlot(lastProperty()->slot(...
Status: VERIFIED FIXED
[sg:critical][qa!] js-triage-done
: assertion, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86_64 Linux
: -- critical (vote)
: mozilla13
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: langfuzz
  Show dependency treegraph
 
Reported: 2012-01-23 08:26 PST by Christian Holler (:decoder)
Modified: 2013-01-19 14:33 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
verified
verified
11+
verified
unaffected


Attachments
patch (1.36 KB, patch)
2012-02-01 17:18 PST, Brian Hackett (:bhackett)
dvander: review+
bugzilla: approval‑mozilla‑aurora+
bugzilla: approval‑mozilla‑beta+
lukasblakk+bugs: approval‑mozilla‑esr10+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-01-23 08:26:37 PST
The following test asserts on mozilla-central revision 42368fe44c8c (options -m -n):


function MyObject( value ) {
  this.toBoolean = (this[ this.Function = this ]++ );
}
new MyObject(true);
Comment 1 Brian Hackett (:bhackett) 2012-02-01 17:18:42 PST
Created attachment 593666 [details] [diff] [review]
patch

When assignments to a property of 'this' are interleaved with other uses of 'this', information about all definite properties of objects created using that script need to be thrown out, as otherwise the definite slots found may be incorrect.  A premature return in AnalyzeNewScriptProperties when a pushed value is popped in multiple places prevented this from happening.
Comment 2 Brian Hackett (:bhackett) 2012-02-01 17:19:32 PST
Comment on attachment 593666 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): TI
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, logic bug in rare situation
Comment 3 Brian Hackett (:bhackett) 2012-02-06 11:19:00 PST
https://hg.mozilla.org/integration/mozilla-inbound/rev/cb324931ea22
Comment 4 Ed Morley [:emorley] 2012-02-07 12:14:12 PST
https://hg.mozilla.org/mozilla-central/rev/cb324931ea22
Comment 5 Johnathan Nightingale [:johnath] 2012-02-09 14:59:02 PST
Comment on attachment 593666 [details] [diff] [review]
patch

Discussed in triage, approved, but changes to JS always scare us - is there any way to QA for potential bustage this might introduce? Can we get it landed soon to maximize beta coverage?
Comment 6 Brian Hackett (:bhackett) 2012-02-12 19:43:51 PST
I don't think there's any real risk for bustage here, per comment 2 --- the code patterns it affects will not show up in realistic code, e.g. this[x]++ in a constructor.

https://hg.mozilla.org/releases/mozilla-aurora/rev/6b8c57dc160a
https://hg.mozilla.org/releases/mozilla-beta/rev/9f4a06e3fdb0
Comment 7 Gary Kwong [:gkw] [:nth10sd] 2012-02-29 11:33:26 PST
> User impact if declined: potential vulnerability

Setting sg:critical based on this.
Comment 8 Daniel Veditz [:dveditz] 2012-03-01 16:35:00 PST
This bug should land on ESR as well.
Comment 9 Lukas Blakk [:lsblakk] use ?needinfo 2012-03-01 16:36:10 PST
Comment on attachment 593666 [details] [diff] [review]
patch

Please land this today in time for tomorrow's go-to-build.  See https://wiki.mozilla.org/Release_Management/ESR_Landing_Process for details and ping me or email release-mgmt@mozilla.com if there are any concerns about getting this landed in time.
Comment 10 Gary Kwong [:gkw] [:nth10sd] 2012-03-01 16:40:02 PST
Quickly landed on ESR to meet the March 2 build date:

http://hg.mozilla.org/releases/mozilla-esr10/rev/081b50b02609
Comment 11 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-05 15:16:12 PST
Verified fixed in Firefox 10.0.3esr.
Comment 12 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-03-07 14:17:52 PST
Verified fixed for Firefox 11.0b6 -- no assertion reproduced using test in comment 0 in js-shell built from today's mozilla-beta.
Comment 13 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-04-04 15:34:28 PDT
Verified fixed for Firefox 12 using 12b4-based js-shell.
Comment 14 Christian Holler (:decoder) 2013-01-19 14:33:33 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.