Note: There are a few cases of duplicates in user autocompletion which are being worked on.

"Assertion failure: [infer failure] Missing type pushed 0:"

VERIFIED FIXED in Firefox 12

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla12
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox12+ fixed, firefox13+ verified, firefox14+ verified, firefox-esr1012+ verified)

Details

(Whiteboard: [sg:critical][qa!] js-triage-needed)

Attachments

(2 attachments)

(Reporter)

Description

5 years ago
Created attachment 610679 [details]
stack

XMLList.prototype.(Function)

asserts js debug shell on m-c changeset 92fe907ddac8 with -m, -a and -n at Assertion failure: [infer failure] Missing type pushed 0: [0xf7400180],

s-s because infer failures are bad, assuming worse case [sg:critical].

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   76042:b769a2b79e6b
user:        Brian Hackett
date:        Fri Jul 15 10:14:07 2011 -0700
summary:     [INFER] Lazily create type objects for singleton JS objects, bug 670185.
status-firefox-esr10: --- → affected
status-firefox12: --- → wontfix
status-firefox13: --- → affected
status-firefox14: --- → affected
tracking-firefox13: --- → +
tracking-firefox14: --- → +
tracking-firefox-esr10: --- → 13+
(Assignee)

Comment 1

5 years ago
Created attachment 613384 [details] [diff] [review]
patch

Treat FILTER/ENDFILTER as unknown.  Sorry about the delay here.
Assignee: general → bhackett1024
Attachment #613384 - Flags: review?(luke)

Comment 2

5 years ago
Comment on attachment 613384 [details] [diff] [review]
patch

http://mozillamemes.tumblr.com/post/20381316930/inspired-by-a-bugfix-which-caused-a
Attachment #613384 - Flags: review?(luke) → review+
(Assignee)

Comment 3

5 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/d32163dc9902
(Assignee)

Comment 4

5 years ago
Comment on attachment 613384 [details] [diff] [review]
patch

[Approval Request Comment]
User impact if declined: Potential, difficult to exploit vulnerability.
Risk to taking this patch (and alternatives if risky): None.
Attachment #613384 - Flags: approval-mozilla-esr10?
Attachment #613384 - Flags: approval-mozilla-beta?
Attachment #613384 - Flags: approval-mozilla-aurora?
(Assignee)

Comment 5

5 years ago
https://hg.mozilla.org/mozilla-central/rev/d32163dc9902
Since it's a small, safe fix we should take it on branches: a single-line testcase could easily be discovered by other people's fuzzers.
status-firefox12: wontfix → affected
tracking-firefox-esr10: 13+ → 12+
tracking-firefox12: --- → +

Comment 7

5 years ago
Comment on attachment 613384 [details] [diff] [review]
patch

(In reply to Daniel Veditz [:dveditz] from comment #6)
> Since it's a small, safe fix we should take it on branches: a single-line
> testcase could easily be discovered by other people's fuzzers.

Agreed. Approving for all branches.
Attachment #613384 - Flags: approval-mozilla-esr10?
Attachment #613384 - Flags: approval-mozilla-esr10+
Attachment #613384 - Flags: approval-mozilla-beta?
Attachment #613384 - Flags: approval-mozilla-beta+
Attachment #613384 - Flags: approval-mozilla-aurora?
Attachment #613384 - Flags: approval-mozilla-aurora+
Resolving fixed since it is on mozilla central.
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
(Reporter)

Comment 9

5 years ago
> Resolving fixed since it is on mozilla central.

http://hg.mozilla.org/mozilla-central/rev/d32163dc9902

Thanks for helping to resolve. It would be great if one could add the hgweb link of the landing on mozilla-central too. :)
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
(Assignee)

Comment 11

5 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/7dfac7263e72
https://hg.mozilla.org/releases/mozilla-beta/rev/0f0c508e014d
(In reply to Christian Holler (:decoder) from comment #10)
> JSBugMon: This bug has been automatically verified fixed.

I love this tool.
(Assignee)

Comment 13

5 years ago
http://hg.mozilla.org/releases/mozilla-esr10/rev/cb77dd01451f
(Assignee)

Updated

5 years ago
status-firefox-esr10: affected → fixed
status-firefox12: affected → fixed
status-firefox13: affected → fixed
status-firefox14: affected → fixed
Target Milestone: --- → mozilla12
Whiteboard: [sg:critical] js-triage-needed → [sg:critical][qa+] js-triage-needed
Verified fixed for esr10 using 2012-04-16 mozilla-esr10 js-shell
status-firefox-esr10: fixed → verified
Group: core-security
Ubuntu 11.10 32bit

Verified that the testcase from comment #0 produces no assertion with latest mozilla-beta revision (8072115a9e89)

Marking verified for Firefox 13
status-firefox13: fixed → verified
Ubuntu 11.10 32bit

Verified that the testcase from comment #0 produces no assertion with Firefox 14 beta 6 (revision 89ec8943347a)

Marking verified for Firefox 14
status-firefox14: fixed → verified
Whiteboard: [sg:critical][qa+] js-triage-needed → [sg:critical][qa!] js-triage-needed
E4X has been removed, in-testsuite-.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.