Closed
Bug 740595
Opened 13 years ago
Closed 13 years ago
"Assertion failure: [infer failure] Missing type pushed 0:"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical][qa!] js-triage-needed)
Attachments
(2 files)
|
4.64 KB,
text/plain
|
Details | |
|
1018 bytes,
patch
|
luke
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
MLList.prototype.(Function)
asserts js debug shell on m-c changeset 92fe907ddac8 with -m, -a and -n at Assertion failure: [infer failure] Missing type pushed 0: [0xf7400180],
s-s because infer failures are bad, assuming worse case [sg:critical].
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 76042:b769a2b79e6b
user: Brian Hackett
date: Fri Jul 15 10:14:07 2011 -0700
summary: [INFER] Lazily create type objects for singleton JS objects, bug 670185.
Updated•13 years ago
|
status-firefox-esr10:
--- → affected
status-firefox12:
--- → wontfix
status-firefox13:
--- → affected
status-firefox14:
--- → affected
tracking-firefox13:
--- → +
tracking-firefox14:
--- → +
Updated•13 years ago
|
tracking-firefox-esr10:
--- → 13+
| Assignee | ||
Comment 1•13 years ago
|
||
Treat FILTER/ENDFILTER as unknown. Sorry about the delay here.
Assignee: general → bhackett1024
Attachment #613384 -
Flags: review?(luke)
Comment 2•13 years ago
|
||
Comment on attachment 613384 [details] [diff] [review]
patch
http://mozillamemes.tumblr.com/post/20381316930/inspired-by-a-bugfix-which-caused-a
Attachment #613384 -
Flags: review?(luke) → review+
| Assignee | ||
Comment 3•13 years ago
|
||
| Assignee | ||
Comment 4•13 years ago
|
||
Comment on attachment 613384 [details] [diff] [review]
patch
[Approval Request Comment]
User impact if declined: Potential, difficult to exploit vulnerability.
Risk to taking this patch (and alternatives if risky): None.
Attachment #613384 -
Flags: approval-mozilla-esr10?
Attachment #613384 -
Flags: approval-mozilla-beta?
Attachment #613384 -
Flags: approval-mozilla-aurora?
| Assignee | ||
Comment 5•13 years ago
|
||
Comment 6•13 years ago
|
||
Since it's a small, safe fix we should take it on branches: a single-line testcase could easily be discovered by other people's fuzzers.
Comment 7•13 years ago
|
||
Comment on attachment 613384 [details] [diff] [review]
patch
(In reply to Daniel Veditz [:dveditz] from comment #6)
> Since it's a small, safe fix we should take it on branches: a single-line
> testcase could easily be discovered by other people's fuzzers.
Agreed. Approving for all branches.
Attachment #613384 -
Flags: approval-mozilla-esr10?
Attachment #613384 -
Flags: approval-mozilla-esr10+
Attachment #613384 -
Flags: approval-mozilla-beta?
Attachment #613384 -
Flags: approval-mozilla-beta+
Attachment #613384 -
Flags: approval-mozilla-aurora?
Attachment #613384 -
Flags: approval-mozilla-aurora+
Comment 8•13 years ago
|
||
Resolving fixed since it is on mozilla central.
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
| Reporter | ||
Comment 9•13 years ago
|
||
> Resolving fixed since it is on mozilla central.
http://hg.mozilla.org/mozilla-central/rev/d32163dc9902
Thanks for helping to resolve. It would be great if one could add the hgweb link of the landing on mozilla-central too. :)
Comment 10•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
| Assignee | ||
Comment 11•13 years ago
|
||
Comment 12•13 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #10)
> JSBugMon: This bug has been automatically verified fixed.
I love this tool.
| Assignee | ||
Comment 13•13 years ago
|
||
| Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla12
Whiteboard: [sg:critical] js-triage-needed → [sg:critical][qa+] js-triage-needed
Comment 14•13 years ago
|
||
Verified fixed for esr10 using 2012-04-16 mozilla-esr10 js-shell
Updated•13 years ago
|
Group: core-security
Comment 15•13 years ago
|
||
Ubuntu 11.10 32bit
Verified that the testcase from comment #0 produces no assertion with latest mozilla-beta revision (8072115a9e89)
Marking verified for Firefox 13
Comment 16•13 years ago
|
||
Ubuntu 11.10 32bit
Verified that the testcase from comment #0 produces no assertion with Firefox 14 beta 6 (revision 89ec8943347a)
Marking verified for Firefox 14
Whiteboard: [sg:critical][qa+] js-triage-needed → [sg:critical][qa!] js-triage-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•