Last Comment Bug 755750 - Assertion failure: [infer failure] Missing type pushed 0: [0xf6c00180], at jsinfer.cpp:352
: Assertion failure: [infer failure] Missing type pushed 0: [0xf6c00180], at js...
Status: VERIFIED FIXED
[js:p1:fx16] [sg:critical] [jsbugmon:...
: assertion, regression, sec-critical, testcase
Product: Core
Classification: Components
Component: JavaScript Engine (show other bugs)
: Trunk
: x86 Linux
: -- critical (vote)
: mozilla15
Assigned To: Brian Hackett (:bhackett)
:
Mentors:
Depends on:
Blocks: langfuzz 731398
  Show dependency treegraph
 
Reported: 2012-05-16 08:03 PDT by Christian Holler (:decoder)
Modified: 2013-01-19 14:29 PST (History)
9 users (show)
choller: in‑testsuite+
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---
unaffected
fixed
+
fixed
+
verified
unaffected


Attachments
patch (1.46 KB, patch)
2012-05-19 09:14 PDT, Brian Hackett (:bhackett)
dvander: review+
akeybl: approval‑mozilla‑aurora+
akeybl: approval‑mozilla‑beta+
Details | Diff | Review

Description Christian Holler (:decoder) 2012-05-16 08:03:11 PDT
The following test asserts on mozilla-central revision 00c7a320165b (options -m -n):


test();
function test() {
  schedulegc(100);
  var o = { __proto__: function(){} };
  for (var j = 0; j < 30000; ++j) { try { o.call(3); } catch (e) {  }  }
}


S-s due to infer failure and GC-relatedness.
Comment 1 Gary Kwong [:gkw] [:nth10sd] 2012-05-17 13:35:41 PDT
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   89922:149eff9b7b92
parent:      89911:d9491b6074a4
user:        Brian Hackett
date:        Wed Mar 21 07:37:43 2012 -0600
summary:     Use singleton types for global object initializers, bug 731398. r=dvander
Comment 2 Christian Holler (:decoder) 2012-05-17 13:39:49 PDT
The first bad revision is:
changeset:   89922:149eff9b7b92
parent:      89911:d9491b6074a4
user:        Brian Hackett
date:        Wed Mar 21 07:37:43 2012 -0600
summary:     Use singleton types for global object initializers, bug 731398. r=dvander
Comment 3 Brian Hackett (:bhackett) 2012-05-19 09:14:10 PDT
Created attachment 625418 [details] [diff] [review]
patch

Autobisect is wrong (conservative stack scanner), this is an older issue where if the prototype of an initializer object is mutated and a GC triggered before the code it was allocated in is analyzed, the old type object for the initializer can be collected and the information that its prototype has been mutated will be wiped out.
Comment 4 Alex Keybl [:akeybl] 2012-05-21 16:28:43 PDT
sg:crit regression in FF14, so tracking for release.
Comment 5 Brian Hackett (:bhackett) 2012-05-21 20:30:53 PDT
https://hg.mozilla.org/integration/mozilla-inbound/rev/b26828182aea
Comment 6 Brian Hackett (:bhackett) 2012-05-21 20:31:34 PDT
Comment on attachment 625418 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): TI
User impact if declined: Potential, difficult to exploit vulnerability.
Risk to taking this patch (and alternatives if risky): None.
Comment 7 Christian Holler (:decoder) 2012-05-22 03:15:55 PDT
JSBugMon: The testcase found in this bug no longer reproduces (tried revision ce618ce8d84a).
Comment 8 Ed Morley [:emorley] 2012-05-22 05:18:47 PDT
https://hg.mozilla.org/mozilla-central/rev/b26828182aea
Comment 9 Christian Holler (:decoder) 2012-05-22 05:49:40 PDT
JSBugMon: This bug has been automatically verified fixed.
Comment 10 Alex Keybl [:akeybl] 2012-05-22 11:28:30 PDT
Comment on attachment 625418 [details] [diff] [review]
patch

[Triage Comment]
Low risk fix for an sg:crit - approved for Aurora 14 and Beta 13. Please land asap to make it into Beta 5 (going to build today).
Comment 12 Anthony Hughes (:ashughes) [GFX][QA][Mentor] 2012-06-22 14:30:54 PDT
Verified fixed with Firefox 15.0a2 2012-06-22 debug shell.
Comment 13 Christian Holler (:decoder) 2013-01-19 14:29:35 PST
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929

Note You need to log in before you can comment on or make changes to this bug.