Assertion failure: [infer failure] Missing type pushed 0: string, at jsinfer.cpp:352

VERIFIED FIXED in Firefox 12

Status

()

Core
JavaScript Engine
--
critical
VERIFIED FIXED
6 years ago
4 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
mozilla12
x86
Linux
assertion, regression, testcase
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox11 unaffected, firefox12+ fixed, firefox13+ fixed, firefox-esr10 unaffected, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed)

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
The following test crashes on mozilla-central revision a71b7cea4577 (options -m -a -n):


function test() {
  try {
    for ( var i = 0 in test() ) return x;
  } catch (e) {
    if (i !== ("str"))
      return "wat";
  }
}
test();


S-s because infer failures can indicate a security problem.
Is this a regression?
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
(Assignee)

Comment 2

6 years ago
Created attachment 593654 [details] [diff] [review]
patch

Incomplete fix for bug 719758, there are other opcodes which have no fallthrough but do not have a direct jump target.
Assignee: general → bhackett1024
Attachment #593654 - Flags: review?(dvander)
(Assignee)

Comment 3

6 years ago
Comment on attachment 593654 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): 704387
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, fixes logic bug in rare code pattern
Attachment #593654 - Flags: approval-mozilla-aurora?
Attachment #593654 - Flags: review?(dvander) → review+

Comment 4

6 years ago
Comment on attachment 593654 [details] [diff] [review]
patch

[Triage Comment]
Approved for Aurora 12.
Attachment #593654 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
based on the date of the regressing bug this should not affect anything earlier than Fx12
Blocks: 704387
status1.9.2: --- → unaffected
status-firefox-esr10: --- → unaffected
status-firefox11: --- → unaffected
status-firefox12: --- → affected
status-firefox13: --- → affected
tracking-firefox12: --- → +
tracking-firefox13: --- → +
Keywords: regression
(Assignee)

Comment 6

6 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/1e80318e866d

Comment 7

6 years ago
https://hg.mozilla.org/mozilla-central/rev/1e80318e866d
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
(Assignee)

Comment 8

6 years ago
https://hg.mozilla.org/releases/mozilla-aurora/rev/de903fa58268
(Assignee)

Updated

6 years ago
Target Milestone: mozilla13 → mozilla12
(Assignee)

Updated

6 years ago
status-firefox12: affected → fixed
status-firefox13: affected → fixed
(Reporter)

Updated

5 years ago
Status: RESOLVED → VERIFIED
Group: core-security
(Reporter)

Comment 9

4 years ago
Slow/infinite test, not taking for the test suite.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.