Last Comment Bug 740595 - "Assertion failure: [infer failure] Missing type pushed 0:"
: "Assertion failure: [infer failure] Missing type pushed 0:"
Status: VERIFIED FIXED
[sg:critical][qa!] js-triage-needed
: assertion, regression, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla12
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: jsfunfuzz js-differential-test 670185
  Show dependency treegraph
 
Reported: 2012-03-29 14:09 PDT by Gary Kwong [:gkw] [:nth10sd]
Modified: 2013-03-11 07:26 PDT (History)
8 users (show)
choller: in‑testsuite-
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
+
fixed
+
verified
+
verified
12+
verified


Attachments
stack (4.64 KB, text/plain)
2012-03-29 14:09 PDT, Gary Kwong [:gkw] [:nth10sd]
no flags Details
patch (1018 bytes, patch)
2012-04-09 13:44 PDT, Brian Hackett (:bhackett)
luke: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
akeybl: approval‑mozilla‑esr10+
Details | Diff | Splinter Review

Description Gary Kwong [:gkw] [:nth10sd] 2012-03-29 14:09:56 PDT
Created attachment 610679 [details]
stack

XMLList.prototype.(Function)

asserts js debug shell on m-c changeset 92fe907ddac8 with -m, -a and -n at Assertion failure: [infer failure] Missing type pushed 0: [0xf7400180],

s-s because infer failures are bad, assuming worse case [sg:critical].

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   76042:b769a2b79e6b
user:        Brian Hackett
date:        Fri Jul 15 10:14:07 2011 -0700
summary:     [INFER] Lazily create type objects for singleton JS objects, bug 670185.
Comment 1 Brian Hackett (:bhackett) 2012-04-09 13:44:18 PDT
Created attachment 613384 [details] [diff] [review]
patch

Treat FILTER/ENDFILTER as unknown.  Sorry about the delay here.
Comment 3 Brian Hackett (:bhackett) 2012-04-10 13:00:35 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/d32163dc9902
Comment 4 Brian Hackett (:bhackett) 2012-04-10 13:01:14 PDT
Comment on attachment 613384 [details] [diff] [review]
patch

[Approval Request Comment]
User impact if declined: Potential, difficult to exploit vulnerability.
Risk to taking this patch (and alternatives if risky): None.
Comment 5 Brian Hackett (:bhackett) 2012-04-11 09:19:33 PDT
https://hg.mozilla.org/mozilla-central/rev/d32163dc9902
Comment 6 Daniel Veditz [:dveditz] 2012-04-12 13:14:45 PDT
Since it's a small, safe fix we should take it on branches: a single-line testcase could easily be discovered by other people's fuzzers.
Comment 7 Alex Keybl [:akeybl] 2012-04-12 13:15:32 PDT
Comment on attachment 613384 [details] [diff] [review]
patch

(In reply to Daniel Veditz [:dveditz] from comment #6)
> Since it's a small, safe fix we should take it on branches: a single-line
> testcase could easily be discovered by other people's fuzzers.

Agreed. Approving for all branches.
Comment 8 Al Billings [:abillings] 2012-04-12 16:34:41 PDT
Resolving fixed since it is on mozilla central.
Comment 9 Gary Kwong [:gkw] [:nth10sd] 2012-04-12 16:51:03 PDT
> Resolving fixed since it is on mozilla central.

http://hg.mozilla.org/mozilla-central/rev/d32163dc9902

Thanks for helping to resolve. It would be great if one could add the hgweb link of the landing on mozilla-central too. :)
Comment 10 Christian Holler (:decoder) 2012-04-12 17:17:30 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 12 Al Billings [:abillings] 2012-04-13 10:56:01 PDT
(In reply to Christian Holler (:decoder) from comment #10)
> JSBugMon: This bug has been automatically verified fixed.

I love this tool.
Comment 13 Brian Hackett (:bhackett) 2012-04-14 06:28:01 PDT
http://hg.mozilla.org/releases/mozilla-esr10/rev/cb77dd01451f
Comment 14 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-04-16 11:06:07 PDT
Verified fixed for esr10 using 2012-04-16 mozilla-esr10 js-shell
Comment 15 Mihaela Velimiroviciu (:mihaelav) 2012-05-22 05:48:25 PDT
Ubuntu 11.10 32bit

Verified that the testcase from comment #0 produces no assertion with latest mozilla-beta revision (8072115a9e89)

Marking verified for Firefox 13
Comment 16 Mihaela Velimiroviciu (:mihaelav) 2012-06-11 08:10:27 PDT
Ubuntu 11.10 32bit

Verified that the testcase from comment #0 produces no assertion with Firefox 14 beta 6 (revision 89ec8943347a)

Marking verified for Firefox 14
Comment 17 Christian Holler (:decoder) 2013-03-11 07:26:46 PDT
E4X has been removed, in-testsuite-.

Note You need to log in before you can comment on or make changes to this bug.