Closed
Bug 810925
Opened 13 years ago
Closed 13 years ago
IonMonkey: Assertion failure: [barrier verifier] Unmarked edge: <unknown>, at js/src/jsgc.cpp:5437
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla19
| Tracking | Status | |
|---|---|---|
| firefox17 | --- | unaffected |
| firefox18 | + | fixed |
| firefox19 | + | fixed |
| firefox-esr10 | --- | unaffected |
| firefox-esr17 | --- | unaffected |
People
(Reporter: decoder, Assigned: dvander)
References
Details
(Keywords: assertion, sec-critical, testcase, Whiteboard: [jsbugmon:update,ignore][adv-main18-])
Attachments
(1 file)
|
1.06 KB,
patch
|
djvj
:
review+
akeybl
:
approval-mozilla-aurora+
abillings
:
sec-approval+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision b2bdbfe06b10 (run with --ion-eager):
var actual = '';
function reportCompare (expected, actual, description) {
var testcase = new TestCase("unknown-test-name", description, expected, actual);
try { } catch(ex) { }
}
var lfcode = new Array();
lfcode.push("0");
lfcode.push("var expect = 'No Error';");
lfcode.push("\
function TestCase(n, d, e, a) {\
this.description=(Math.E = this) \
}\
re = /0./;\
s = 10203040506070809000;\
AddRegExpCases(re, \"re = \" + re , s, String(s), 1, [\"02\"]);\
function AddRegExpCases(\
regexp, str_regexp, string, str_string, index, matches_array ) {\
gczeal(4);\
}\
var date = new Date(\"06/05/2005 00:00:00 GMT-0000\");\
reportCompare(expect, actual, 'Date.toLocaleFormat(\"%A\")');\
reportCompare(expect, actual, 'Date.toLocaleFormat(\"%b\")');\
reportCompare(expect, actual, 'Date.toLocaleFormat(\"%B\")');\
reportCompare(expect, actual, 'Date.toLocaleFormat(\"%d\")');\
reportCompare(expect, actual, 'Date.toLocaleFormat(%H)');\
");
while (true) {
var file = lfcode.shift(); if (file == undefined) { break; }
loadFile(file)
}
function loadFile(lfVarx) {
if (lfVarx.substr(-3) == ".js") {
} else if (!isNaN(lfVarx)) {
lfRunTypeId = parseInt(lfVarx);
} else {
switch (lfRunTypeId) {
default: evaluate(lfVarx); break;
}
}
}
|
Reporter | |
Comment 1•13 years ago
|
||
S-s because this is GC related.
Blocks: IonFuzz
Whiteboard: [jsbugmon:update,bisect]
|
Assignee | |
Comment 2•13 years ago
|
||
I missed this case when fixing bug 805747.
|
||
Updated•13 years ago
|
Attachment #680745 -
Flags: review?(kvijayan) → review+
|
|
Assignee | |
Comment 3•13 years ago
|
||
Comment on attachment 680745 [details] [diff] [review]
fix
[Security approval request comment]
How easily can the security issue be deduced from the patch?
Not easily.
Do comments in the patch, the check-in comment, or tests included in the patch paint a bulls-eye on the security problem?
No.
Which older supported branches are affected by this flaw?
Firefox 18.
If not all supported branches, which bug introduced the flaw?
IonMonkey.
Do you have backports for the affected branches? If not, how different, hard to create, and risky will they be?
This patch should apply to Firefox 18.
How likely is this patch to cause regressions; how much testing does it need?
Very unlikely; very little.
Attachment #680745 -
Flags: sec-approval?
|
||
Updated•13 years ago
|
Attachment #680745 -
Flags: sec-approval? → sec-approval+
|
|
||
Updated•13 years ago
|
status-firefox18:
--- → affected
tracking-firefox18:
--- → ?
|
||
Comment 4•13 years ago
|
||
Assuming sec-critical given the sec-approval nom, and the rating of bug 805747
Keywords: sec-critical
|
|
||
Updated•13 years ago
|
status-firefox17:
--- → unaffected
status-firefox19:
--- → affected
status-firefox-esr17:
--- → unaffected
tracking-firefox19:
--- → +
|
|
||
Updated•13 years ago
|
status-firefox-esr10:
--- → unaffected
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 5•13 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: 111211:2583a19e59ef
user: Kannan Vijayan
date: Tue Oct 23 22:18:11 2012 -0400
summary: Bug 795801 - IC StrictPropertyOp setters in IonMonkey. (r=dvander)
This iteration took 0.298 seconds to run.
|
|
Assignee | |
Comment 6•13 years ago
|
||
|
|
Reporter | |
Updated•13 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
|
|
Reporter | |
Comment 7•13 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision a7ed19f7d21a).
|
||
Comment 8•13 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla19
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
Reporter | |
Comment 9•13 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
|
|
Assignee | |
Comment 10•13 years ago
|
||
Comment on attachment 680745 [details] [diff] [review]
fix
[Approval Request Comment]
Bug caused by (feature/regressing bug #): IonMonkey
User impact if declined: Potential security bug
Testing completed (on m-c, etc.): Yes
Risk to taking this patch (and alternatives if risky): Almost none
String or UUID changes made by this patch:
Attachment #680745 -
Flags: approval-mozilla-aurora?
|
|
||
Comment 11•13 years ago
|
||
Comment on attachment 680745 [details] [diff] [review]
fix
[Triage Comment]
Low risk fix for a sec-critical IonMonkey regression.
If this is landed on mozilla-aurora before ~11AM PT tomorrow, this will make the merge from Aurora 18 to Beta 18. If landed 11AM-5PM PT tomorrow on mozilla-beta, it will make the first FF18 Beta. If landed after that, it will end up in the second FF18 beta.
Attachment #680745 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
Assignee | |
Comment 12•13 years ago
|
||
|
||
Updated•13 years ago
|
|
|
||
Updated•13 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][adv-main18-]
|
||
Updated•12 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•