Closed Bug 755750 Opened 8 years ago Closed 8 years ago

Assertion failure: [infer failure] Missing type pushed 0: [0xf6c00180], at jsinfer.cpp:352

Categories

(Core :: JavaScript Engine, defect, critical)

x86
Linux
defect
Not set
critical

Tracking

()

VERIFIED FIXED
mozilla15
Tracking Status
firefox12 --- unaffected
firefox13 --- fixed
firefox14 + fixed
firefox15 + verified
firefox-esr10 --- unaffected

People

(Reporter: decoder, Assigned: bhackett1024)

References

(Blocks 1 open bug)

Details

(4 keywords, Whiteboard: [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore][advisory-tracking+])

Attachments

(1 file)

The following test asserts on mozilla-central revision 00c7a320165b (options -m -n):


test();
function test() {
  schedulegc(100);
  var o = { __proto__: function(){} };
  for (var j = 0; j < 30000; ++j) { try { o.call(3); } catch (e) {  }  }
}


S-s due to infer failure and GC-relatedness.
Assignee: general → wmccloskey
Keywords: sec-critical
Whiteboard: js-triage-needed [jsbugmon:update] → [js:p1:fx16][jsbugmon:update][sg:critical]
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   89922:149eff9b7b92
parent:      89911:d9491b6074a4
user:        Brian Hackett
date:        Wed Mar 21 07:37:43 2012 -0600
summary:     Use singleton types for global object initializers, bug 731398. r=dvander
The first bad revision is:
changeset:   89922:149eff9b7b92
parent:      89911:d9491b6074a4
user:        Brian Hackett
date:        Wed Mar 21 07:37:43 2012 -0600
summary:     Use singleton types for global object initializers, bug 731398. r=dvander
Attached patch patchSplinter Review
Autobisect is wrong (conservative stack scanner), this is an older issue where if the prototype of an initializer object is mutated and a GC triggered before the code it was allocated in is analyzed, the old type object for the initializer can be collected and the information that its prototype has been mutated will be wiped out.
Assignee: wmccloskey → bhackett1024
Attachment #625418 - Flags: review?(dvander)
Attachment #625418 - Flags: review?(dvander) → review+
sg:crit regression in FF14, so tracking for release.
Comment on attachment 625418 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): TI
User impact if declined: Potential, difficult to exploit vulnerability.
Risk to taking this patch (and alternatives if risky): None.
Attachment #625418 - Flags: approval-mozilla-beta?
Attachment #625418 - Flags: approval-mozilla-aurora?
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ce618ce8d84a).
Whiteboard: [js:p1:fx16][jsbugmon:update][sg:critical] → [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore]
https://hg.mozilla.org/mozilla-central/rev/b26828182aea
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
JSBugMon: This bug has been automatically verified fixed.
Status: RESOLVED → VERIFIED
Comment on attachment 625418 [details] [diff] [review]
patch

[Triage Comment]
Low risk fix for an sg:crit - approved for Aurora 14 and Beta 13. Please land asap to make it into Beta 5 (going to build today).
Attachment #625418 - Flags: approval-mozilla-beta?
Attachment #625418 - Flags: approval-mozilla-beta+
Attachment #625418 - Flags: approval-mozilla-aurora?
Attachment #625418 - Flags: approval-mozilla-aurora+
Whiteboard: [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore] → [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore][advisory-tracking+]
Verified fixed with Firefox 15.0a2 2012-06-22 debug shell.
Group: core-security
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.