JM: Assertion failure: !isTypeKnown(), at ../methodjit/RematInfo.h:167

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
7 years ago
7 years ago

People

(Reporter: jandem, Assigned: dvander)

Tracking

unspecified
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(blocking2.0 .x+)

Details

(Whiteboard: fixed-in-tracemonkey)

Attachments

(1 attachment)

(Reporter)

Description

7 years ago
This test case:
---
function f() {
    var a = new Int32Array();

    for (var i = 0; i < 10; i++) {
        a[4] = "" + null;
    }
}

f();
---
Triggers this assert with -m:

Assertion failure: !isTypeKnown(), at ../methodjit/RematInfo.h:167
(Reporter)

Comment 1

7 years ago
Btw, this does not crash in a release build. But using the wrong type tag (?) may be exploitable somehow, so marking security sensitive to be safe.
(Assignee)

Updated

7 years ago
blocking2.0: --- → .x
(Assignee)

Comment 2

7 years ago
Created attachment 502608 [details] [diff] [review]
fix

Thanks for the precaution, Jan. Silly bug, I forgot to eliminate the type guard if the type is known. The only security implication is that with some acrobatics you could get the address of any GC thing as an integer. But there's no arbitrary reads or writes.
Assignee: general → dvander
Status: NEW → ASSIGNED
Attachment #502608 - Flags: review?(cdleary)
Attachment #502608 - Flags: review?(cdleary) → review+
(Assignee)

Comment 3

7 years ago
http://hg.mozilla.org/tracemonkey/rev/64139fb1b3fe
Whiteboard: fixed-in-tracemonkey
Group: core-security
http://hg.mozilla.org/mozilla-central/rev/64139fb1b3fe
Status: ASSIGNED → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.