Closed
Bug 805747
Opened 12 years ago
Closed 12 years ago
IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>,
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla19
Tracking | Status | |
---|---|---|
firefox16 | --- | unaffected |
firefox17 | --- | unaffected |
firefox18 | + | fixed |
firefox19 | + | fixed |
firefox-esr10 | --- | unaffected |
firefox-esr17 | --- | unaffected |
People
(Reporter: gkw, Assigned: dvander)
References
Details
(4 keywords, Whiteboard: [adv-main18-])
Attachments
(2 files)
2.42 KB,
text/plain
|
Details | |
1.04 KB,
patch
|
djvj
:
review+
bajaj
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
try {
x = {}
y = '';
(function() {
toString = (function() {
x.s += y
})
})()
print(this)
Object.freeze(x)(verifyprebarriers())
} catch (e) {}
y = 'p'
for (m = 0, print; m < 9; ++m) {
print(this)
}
asserts js debug and opt shell on m-c changeset 58c8080a1a7c with --ion-eager at Assertion failure: [barrier verifier] Unmarked edge: <unknown>,
s-s because older bugs with similar asserts have also been marked s-s, assuming sec-critical unless otherwise shown.
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 111211:2583a19e59ef
user: Kannan Vijayan
date: Tue Oct 23 22:18:11 2012 -0400
summary: Bug 795801 - IC StrictPropertyOp setters in IonMonkey. (r=dvander)
Updated•12 years ago
|
Assignee: general → kvijayan
Updated•12 years ago
|
Keywords: sec-critical
Assignee | ||
Comment 3•12 years ago
|
||
bug 795801 turned out to be a red herring. This is a pre-existing bug, the problem is that our setprop-add ICs don't respect an object's extensibility.
No longer blocks: 795801
Assignee | ||
Comment 4•12 years ago
|
||
Attachment #677160 -
Flags: review?(kvijayan)
Updated•12 years ago
|
Attachment #677160 -
Flags: review?(kvijayan) → review+
Assignee | ||
Comment 5•12 years ago
|
||
Comment on attachment 677160 [details] [diff] [review]
fix
[Security approval request comment]
How easily can the security issue be deduced from the patch?
Extremely difficult.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
Firefox 18.
If not all supported branches, which bug introduced the flaw?
IonMonkey.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
Yes.
How likely is this patch to cause regressions; how much testing does it need?
Extremely unlikely, if anything needs only performance testing.
Attachment #677160 -
Flags: sec-approval?
Updated•12 years ago
|
Attachment #677160 -
Flags: sec-approval? → sec-approval+
Updated•12 years ago
|
status-firefox-esr17:
unaffected → ---
tracking-firefox18:
--- → ?
Assignee | ||
Comment 6•12 years ago
|
||
Comment 7•12 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
Updated•12 years ago
|
Status: RESOLVED → VERIFIED
Comment 8•12 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Updated•12 years ago
|
Comment 9•12 years ago
|
||
(In reply to David Anderson [:dvander] from comment #6)
> https://hg.mozilla.org/integration/mozilla-inbound/rev/fb274a7b7b9d
Can we please uplift this on aurora, if it has got the needed bake time/testing ?
Assignee | ||
Comment 10•12 years ago
|
||
Comment on attachment 677160 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): IonMonkey
User impact if declined: Potential security bug
Testing completed (on m-c, etc.): Yes
Risk to taking this patch (and alternatives if risky): Extremely low
String or UUID changes made by this patch:
Attachment #677160 -
Flags: approval-mozilla-aurora?
Updated•12 years ago
|
Attachment #677160 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
Comment 11•12 years ago
|
||
Updated•12 years ago
|
status-firefox-esr17:
--- → unaffected
Whiteboard: [adv-main18-]
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•