Closed
Bug 755916
Opened 13 years ago
Closed 13 years ago
Assertion failure: enumerators == cx->enumerators,
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla15
| Tracking | Status | |
|---|---|---|
| firefox13 | --- | unaffected |
| firefox14 | + | affected |
| firefox15 | + | fixed |
| firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: luke)
References
Details
(4 keywords, Whiteboard: [sg:critical] [js:p1:fx15][advisory-tracking+])
Attachments
(2 files)
|
20.58 KB,
text/plain
|
Details | |
|
1.23 KB,
patch
|
bhackett1024
:
review+
|
Details | Diff | Splinter Review |
Object.defineProperty(this, "t2", {
get: function() {
for (p in h2) {
t2
}
}
})
h2 = {}
mjitChunkLimit(8)
h2.a = function() {}
Object(t2)
asserts js 64-bit debug shell on m-c changeset 65fb8b9ea0b7 with -m and -n at Assertion failure: enumerators == cx->enumerators,
Asserts on Windows 7 but apparently not on Mac OS X 10.7.
Setting s-s because I'm not sure if this is sensitive, 64-bit js shell fuzzing on Windows 7 was only turned on recently.
|
Reporter | |
Comment 1•13 years ago
|
||
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 92285:c4c1511bafbd
user: Luke Wagner
date: Fri Apr 13 18:06:40 2012 -0700
summary: Bug 746843 - change StackFrame::scopeChain() to return a HandleObject (r=bhackett)
Blocks: 746843
|
|
Assignee | |
Comment 2•13 years ago
|
||
Err, I don't know how I missed this one when I fixed the early return directly below it...
|
|
Assignee | |
Updated•13 years ago
|
Whiteboard: js-triage-needed → js-triage-done
|
||
Updated•13 years ago
|
Keywords: sec-critical
Whiteboard: js-triage-done → [sg:critical] [js:p1:fx15]
|
||
Comment 3•13 years ago
|
||
> Luke Wagner [:luke] 2012-05-16 17:47:37 PDT
> No longer blocks: 746843
Is that a mid-air, or do you mean to say that this is not a regression from bug 746843. If so do you know what it's a regression from, or is it not a regression?
If it /is/ a regression from that bug then this should not affect Firefox 13 or ESR-10, but does affect 14 and later.
status-firefox-esr10:
--- → unaffected
status-firefox13:
--- → unaffected
status-firefox14:
--- → affected
status-firefox15:
--- → affected
tracking-firefox14:
--- → +
tracking-firefox15:
--- → +
|
||
Updated•13 years ago
|
Attachment #624607 -
Flags: review?(bhackett1024) → review+
|
|
Assignee | |
Comment 4•13 years ago
|
||
This bug results us hitting the C stack limit at just the right place, so all bug 746843 did was perturb the stack frame size a bit in debug builds so that the stars aligned to hit the limit at the right check. Thus, there probably exists some test-cast that goes back to the original bug 732744 that asserted the invariant.
Blocks: 732744
|
|
Assignee | |
Comment 5•13 years ago
|
||
Target Milestone: --- → mozilla15
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Flags: in-testsuite+
|
||
Comment 7•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
||
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
||
Comment 8•13 years ago
|
||
Fixing bug 735082 would make it easier to find bugs like this, and easier to make reliable regression tests for them.
No longer blocks: 732744
|
||
Updated•13 years ago
|
Whiteboard: [sg:critical] [js:p1:fx15] → [sg:critical] [js:p1:fx15][advisory-tracking+]
|
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•