Closed
Bug 747926
Opened 11 years ago
Closed 11 years ago
Assertion failure: [infer failure] Missing type pushed 0: void, at jsinfer.cpp:352
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
| Tracking | Status | |
|---|---|---|
| firefox12 | --- | unaffected |
| firefox13 | + | fixed |
| firefox14 | + | fixed |
| firefox15 | + | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: decoder, Assigned: billm)
References
Details
(4 keywords, Whiteboard: [sg:critical] js-triage-needed [advisory-tracking+])
Attachments
(1 file)
|
1.80 KB,
patch
|
bhackett1024
:
review+
lsblakk
:
approval-mozilla-aurora+
lsblakk
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
The following test asserts on mozilla-central revision 17af008937e3 (options -m -a -n):
a = 'a';
b = [,];
exhaustiveSliceTest("exhaustive slice test 1", a);
exhaustiveSliceTest("exhaustive slice test 2", b);
function exhaustiveSliceTest(testname, a){
x = 0
var y = 0;
countHeap();
for (y=a.length; y + a.length; y--)
var b = a.slice(x,y);
}
This one involves the shell-only function "countHeap", but I don't know if this is a shell-only bug or just revealing a real bug. Maybe related to bug 746150? S-s until triaged.
|
||
Comment 1•11 years ago
|
||
taking a guess that countHeap() shouldn't affect inference correctness and assigning sg:critical
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
|
||
Comment 2•11 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 86695:fbef6a165cf8 user: Bill McCloskey date: Fri Feb 10 18:32:08 2012 -0800 summary: Bug 723313 - Stop using conservative stack scanner for VM stack marking (r=luke,bhackett)
Keywords: regression
OS: Linux → All
|
|
||
Comment 3•11 years ago
|
||
Marking flags based on regression window in comment 2.
status-firefox-esr10:
--- → unaffected
status-firefox12:
--- → unaffected
status-firefox13:
--- → affected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
tracking-firefox13:
--- → ?
tracking-firefox14:
--- → ?
tracking-firefox15:
--- → ?
|
||
Updated•11 years ago
|
|
Assignee | |
Comment 4•11 years ago
|
||
Here's the scenario: 1. Code sets y to 0. 2. GC happens. y is dead, so we overwrite it with undefined. 3. Code sets y to 1. As an optimization, it doesn't update the type tag. It incorrectly assumes it hasn't changed since step 1. The easiest thing to do is to leave the type tag alone in step 2 while fixing up any pointers. The only tags we actually need to worry about are object and string. And we can come up with a dummy string and a dummy object as replacements. The only concern is that this code shouldn't cause the dummy object to be leaked. For objects, I used the global as the dummy. Luke says that the stack frame shouldn't outlive its global, so this seems safe.
Assignee: general → wmccloskey
Status: NEW → ASSIGNED
Attachment #619797 -
Flags: review?(bhackett1024)
|
||
Updated•11 years ago
|
Attachment #619797 -
Flags: review?(bhackett1024) → review+
|
|
||
Updated•11 years ago
|
Keywords: sec-critical
|
|
Assignee | |
Comment 6•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/c296a4cfe0d6
Target Milestone: --- → mozilla15
|
|
Assignee | |
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/c296a4cfe0d6
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
Reporter | |
Comment 8•11 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Reporter | |
Updated•11 years ago
|
Status: RESOLVED → VERIFIED
|
|
Assignee | |
Comment 9•11 years ago
|
||
Comment on attachment 619797 [details] [diff] [review] patch [Approval Request Comment] Regression caused by (bug #): bug 723313 User impact if declined: This may cause crashes or be exploitable. Testing completed (on m-c, etc.): On m-c. Risk to taking this patch (and alternatives if risky): Low. We used to overwrite a stack slot with a dummy value, now we overwrite it with a slightly different dummy value. String changes made by this patch: None
Attachment #619797 -
Flags: approval-mozilla-beta?
Attachment #619797 -
Flags: approval-mozilla-aurora?
|
||
Updated•11 years ago
|
Attachment #619797 -
Flags: approval-mozilla-beta?
Attachment #619797 -
Flags: approval-mozilla-beta+
Attachment #619797 -
Flags: approval-mozilla-aurora?
Attachment #619797 -
Flags: approval-mozilla-aurora+
|
|
Assignee | |
Comment 10•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/6114cf84a407 https://hg.mozilla.org/releases/mozilla-beta/rev/7dfc84b36390
|
|
||
Updated•11 years ago
|
Group: core-security
|
||
Updated•11 years ago
|
Whiteboard: [sg:critical] js-triage-needed → [sg:critical] js-triage-needed [advisory-tracking+]
|
|
Reporter | |
Comment 13•10 years ago
|
||
A testcase for this bug was automatically identified at js/src/jit-test/tests/basic/bug747926.js.
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•