Closed Bug 624518 Opened 13 years ago Closed 13 years ago

JM: Assertion failure: !isTypeKnown(), at ../methodjit/RematInfo.h:167

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
blocking2.0 --- .x+

People

(Reporter: jandem, Assigned: dvander)

References

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 file)

fix
1.77 KB, patch
cdleary
: review+
Details | Diff | Splinter Review 
This test case:
---
function f() {
    var a = new Int32Array();

    for (var i = 0; i < 10; i++) {
        a[4] = "" + null;
    }
}

f();
---
Triggers this assert with -m:

Assertion failure: !isTypeKnown(), at ../methodjit/RematInfo.h:167
Btw, this does not crash in a release build. But using the wrong type tag (?) may be exploitable somehow, so marking security sensitive to be safe.
blocking2.0: --- → .x
Attached patch fixSplinter Review 
Thanks for the precaution, Jan. Silly bug, I forgot to eliminate the type guard if the type is known. The only security implication is that with some acrobatics you could get the address of any GC thing as an integer. But there's no arbitrary reads or writes.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #502608 - Flags: review?(cdleary)
Attachment #502608 - Flags: review?(cdleary) → review+
Group: core-security
http://hg.mozilla.org/mozilla-central/rev/64139fb1b3fe
Status: ASSIGNED → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.