Closed
Bug 740595
Opened 12 years ago
Closed 12 years ago
"Assertion failure: [infer failure] Missing type pushed 0:"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical][qa!] js-triage-needed)
Attachments
(2 files)
4.64 KB,
text/plain
|
Details | |
1018 bytes,
patch
|
luke
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
akeybl
:
approval-mozilla-esr10+
|
Details | Diff | Splinter Review |
MLList.prototype.(Function) asserts js debug shell on m-c changeset 92fe907ddac8 with -m, -a and -n at Assertion failure: [infer failure] Missing type pushed 0: [0xf7400180], s-s because infer failures are bad, assuming worse case [sg:critical]. autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 76042:b769a2b79e6b user: Brian Hackett date: Fri Jul 15 10:14:07 2011 -0700 summary: [INFER] Lazily create type objects for singleton JS objects, bug 670185.
Updated•12 years ago
|
status-firefox-esr10:
--- → affected
status-firefox12:
--- → wontfix
status-firefox13:
--- → affected
status-firefox14:
--- → affected
tracking-firefox13:
--- → +
tracking-firefox14:
--- → +
Updated•12 years ago
|
tracking-firefox-esr10:
--- → 13+
Assignee | ||
Comment 1•12 years ago
|
||
Treat FILTER/ENDFILTER as unknown. Sorry about the delay here.
Assignee: general → bhackett1024
Attachment #613384 -
Flags: review?(luke)
Comment 2•12 years ago
|
||
Comment on attachment 613384 [details] [diff] [review] patch http://mozillamemes.tumblr.com/post/20381316930/inspired-by-a-bugfix-which-caused-a
Attachment #613384 -
Flags: review?(luke) → review+
Assignee | ||
Comment 3•12 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/d32163dc9902
Assignee | ||
Comment 4•12 years ago
|
||
Comment on attachment 613384 [details] [diff] [review] patch [Approval Request Comment] User impact if declined: Potential, difficult to exploit vulnerability. Risk to taking this patch (and alternatives if risky): None.
Attachment #613384 -
Flags: approval-mozilla-esr10?
Attachment #613384 -
Flags: approval-mozilla-beta?
Attachment #613384 -
Flags: approval-mozilla-aurora?
Assignee | ||
Comment 5•12 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/d32163dc9902
Comment 6•12 years ago
|
||
Since it's a small, safe fix we should take it on branches: a single-line testcase could easily be discovered by other people's fuzzers.
Comment 7•12 years ago
|
||
Comment on attachment 613384 [details] [diff] [review] patch (In reply to Daniel Veditz [:dveditz] from comment #6) > Since it's a small, safe fix we should take it on branches: a single-line > testcase could easily be discovered by other people's fuzzers. Agreed. Approving for all branches.
Attachment #613384 -
Flags: approval-mozilla-esr10?
Attachment #613384 -
Flags: approval-mozilla-esr10+
Attachment #613384 -
Flags: approval-mozilla-beta?
Attachment #613384 -
Flags: approval-mozilla-beta+
Attachment #613384 -
Flags: approval-mozilla-aurora?
Attachment #613384 -
Flags: approval-mozilla-aurora+
Comment 8•12 years ago
|
||
Resolving fixed since it is on mozilla central.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 9•12 years ago
|
||
> Resolving fixed since it is on mozilla central. http://hg.mozilla.org/mozilla-central/rev/d32163dc9902 Thanks for helping to resolve. It would be great if one could add the hgweb link of the landing on mozilla-central too. :)
Comment 10•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Assignee | ||
Comment 11•12 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/7dfac7263e72 https://hg.mozilla.org/releases/mozilla-beta/rev/0f0c508e014d
Comment 12•12 years ago
|
||
(In reply to Christian Holler (:decoder) from comment #10) > JSBugMon: This bug has been automatically verified fixed. I love this tool.
Assignee | ||
Comment 13•12 years ago
|
||
http://hg.mozilla.org/releases/mozilla-esr10/rev/cb77dd01451f
Assignee | ||
Updated•12 years ago
|
Target Milestone: --- → mozilla12
Whiteboard: [sg:critical] js-triage-needed → [sg:critical][qa+] js-triage-needed
Comment 14•12 years ago
|
||
Verified fixed for esr10 using 2012-04-16 mozilla-esr10 js-shell
Updated•12 years ago
|
Group: core-security
Comment 15•12 years ago
|
||
Ubuntu 11.10 32bit Verified that the testcase from comment #0 produces no assertion with latest mozilla-beta revision (8072115a9e89) Marking verified for Firefox 13
Comment 16•12 years ago
|
||
Ubuntu 11.10 32bit Verified that the testcase from comment #0 produces no assertion with Firefox 14 beta 6 (revision 89ec8943347a) Marking verified for Firefox 14
Whiteboard: [sg:critical][qa+] js-triage-needed → [sg:critical][qa!] js-triage-needed
You need to log in
before you can comment on or make changes to this bug.
Description
•