The default bug view has changed. See this FAQ.

Assertion failure: [infer failure] Missing type pushed 0: [0xf6c00180], at jsinfer.cpp:352

VERIFIED FIXED in Firefox 13

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
5 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla15
x86
Linux
assertion, regression, sec-critical, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox12 unaffected, firefox13 fixed, firefox14+ fixed, firefox15+ verified, firefox-esr10 unaffected)

Details

(Whiteboard: [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore][advisory-tracking+])

Attachments

(1 attachment)

(Reporter)

Description

5 years ago
The following test asserts on mozilla-central revision 00c7a320165b (options -m -n):


test();
function test() {
  schedulegc(100);
  var o = { __proto__: function(){} };
  for (var j = 0; j < 30000; ++j) { try { o.call(3); } catch (e) {  }  }
}


S-s due to infer failure and GC-relatedness.
Assignee: general → wmccloskey
Keywords: sec-critical
Whiteboard: js-triage-needed [jsbugmon:update] → [js:p1:fx16][jsbugmon:update][sg:critical]
Keywords: regressionwindow-wanted
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   89922:149eff9b7b92
parent:      89911:d9491b6074a4
user:        Brian Hackett
date:        Wed Mar 21 07:37:43 2012 -0600
summary:     Use singleton types for global object initializers, bug 731398. r=dvander
Blocks: 731398
Keywords: regressionwindow-wanted → regression
status-firefox-esr10: --- → unaffected
status-firefox12: --- → unaffected
status-firefox13: --- → unaffected
tracking-firefox14: --- → ?
tracking-firefox15: --- → ?
(Reporter)

Comment 2

5 years ago
The first bad revision is:
changeset:   89922:149eff9b7b92
parent:      89911:d9491b6074a4
user:        Brian Hackett
date:        Wed Mar 21 07:37:43 2012 -0600
summary:     Use singleton types for global object initializers, bug 731398. r=dvander
Created attachment 625418 [details] [diff] [review]
patch

Autobisect is wrong (conservative stack scanner), this is an older issue where if the prototype of an initializer object is mutated and a GC triggered before the code it was allocated in is analyzed, the old type object for the initializer can be collected and the information that its prototype has been mutated will be wiped out.
Assignee: wmccloskey → bhackett1024
Attachment #625418 - Flags: review?(dvander)
Attachment #625418 - Flags: review?(dvander) → review+

Comment 4

5 years ago
sg:crit regression in FF14, so tracking for release.
tracking-firefox14: ? → +
tracking-firefox15: ? → +
https://hg.mozilla.org/integration/mozilla-inbound/rev/b26828182aea
Comment on attachment 625418 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): TI
User impact if declined: Potential, difficult to exploit vulnerability.
Risk to taking this patch (and alternatives if risky): None.
Attachment #625418 - Flags: approval-mozilla-beta?
Attachment #625418 - Flags: approval-mozilla-aurora?
(Reporter)

Comment 7

5 years ago
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ce618ce8d84a).
(Reporter)

Updated

5 years ago
Whiteboard: [js:p1:fx16][jsbugmon:update][sg:critical] → [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore]
https://hg.mozilla.org/mozilla-central/rev/b26828182aea
Status: NEW → RESOLVED
Last Resolved: 5 years ago
status-firefox15: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla15
(Reporter)

Comment 9

5 years ago
JSBugMon: This bug has been automatically verified fixed.
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Comment on attachment 625418 [details] [diff] [review]
patch

[Triage Comment]
Low risk fix for an sg:crit - approved for Aurora 14 and Beta 13. Please land asap to make it into Beta 5 (going to build today).
Attachment #625418 - Flags: approval-mozilla-beta?
Attachment #625418 - Flags: approval-mozilla-beta+
Attachment #625418 - Flags: approval-mozilla-aurora?
Attachment #625418 - Flags: approval-mozilla-aurora+
https://hg.mozilla.org/releases/mozilla-aurora/rev/cb1661106d95
https://hg.mozilla.org/releases/mozilla-beta/rev/a1ff8cc41063
status-firefox13: unaffected → fixed
status-firefox14: --- → fixed
Whiteboard: [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore] → [js:p1:fx16] [sg:critical] [jsbugmon:update,ignore][advisory-tracking+]
Verified fixed with Firefox 15.0a2 2012-06-22 debug shell.
status-firefox15: fixed → verified
Group: core-security
(Reporter)

Comment 13

4 years ago
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.