Assertion failure: [infer failure] Missing type pushed 0: string, at jsinfer.cpp:352

VERIFIED FIXED in Firefox 12

Status

()

defect
--
critical
VERIFIED FIXED
7 years ago
6 years ago

People

(Reporter: decoder, Assigned: bhackett)

Tracking

(Blocks 1 bug, {assertion, regression, testcase})

Trunk
mozilla12
x86
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite -

Firefox Tracking Flags

(firefox11 unaffected, firefox12+ fixed, firefox13+ fixed, firefox-esr10 unaffected, status1.9.2 unaffected)

Details

(Whiteboard: [sg:critical] js-triage-needed)

Attachments

(1 attachment)

Reporter

Description

7 years ago
The following test crashes on mozilla-central revision a71b7cea4577 (options -m -a -n):


function test() {
  try {
    for ( var i = 0 in test() ) return x;
  } catch (e) {
    if (i !== ("str"))
      return "wat";
  }
}
test();


S-s because infer failures can indicate a security problem.
Is this a regression?
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
Assignee

Comment 2

7 years ago
Posted patch patchSplinter Review
Incomplete fix for bug 719758, there are other opcodes which have no fallthrough but do not have a direct jump target.
Assignee: general → bhackett1024
Attachment #593654 - Flags: review?(dvander)
Assignee

Comment 3

7 years ago
Comment on attachment 593654 [details] [diff] [review]
patch

[Approval Request Comment]
Regression caused by (bug #): 704387
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, fixes logic bug in rare code pattern
Attachment #593654 - Flags: approval-mozilla-aurora?
Attachment #593654 - Flags: review?(dvander) → review+
Comment on attachment 593654 [details] [diff] [review]
patch

[Triage Comment]
Approved for Aurora 12.
Attachment #593654 - Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
based on the date of the regressing bug this should not affect anything earlier than Fx12
https://hg.mozilla.org/mozilla-central/rev/1e80318e866d
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
Assignee

Updated

7 years ago
Target Milestone: mozilla13 → mozilla12
Reporter

Updated

7 years ago
Status: RESOLVED → VERIFIED
Group: core-security
Reporter

Comment 9

6 years ago
Slow/infinite test, not taking for the test suite.
Flags: in-testsuite-
You need to log in before you can comment on or make changes to this bug.