Closed
Bug 723099
Opened 14 years ago
Closed 14 years ago
Assertion failure: [infer failure] Missing type pushed 0: string, at jsinfer.cpp:352
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla12
| Tracking | Status | |
|---|---|---|
| firefox11 | --- | unaffected |
| firefox12 | + | fixed |
| firefox13 | + | fixed |
| firefox-esr10 | --- | unaffected |
| status1.9.2 | --- | unaffected |
People
(Reporter: decoder, Assigned: bhackett1024)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [sg:critical] js-triage-needed)
Attachments
(1 file)
|
681 bytes,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
The following test crashes on mozilla-central revision a71b7cea4577 (options -m -a -n):
function test() {
try {
for ( var i = 0 in test() ) return x;
} catch (e) {
if (i !== ("str"))
return "wat";
}
}
test();
S-s because infer failures can indicate a security problem.
|
||
Comment 1•14 years ago
|
||
Is this a regression?
Whiteboard: js-triage-needed → [sg:critical] js-triage-needed
|
Assignee | |
Comment 2•14 years ago
|
||
Incomplete fix for bug 719758, there are other opcodes which have no fallthrough but do not have a direct jump target.
Assignee: general → bhackett1024
Attachment #593654 -
Flags: review?(dvander)
|
|
Assignee | |
Comment 3•14 years ago
|
||
Comment on attachment 593654 [details] [diff] [review]
patch
[Approval Request Comment]
Regression caused by (bug #): 704387
User impact if declined: potential vulnerability
Risk to taking this patch (and alternatives if risky): low, fixes logic bug in rare code pattern
Attachment #593654 -
Flags: approval-mozilla-aurora?
|
||
Updated•14 years ago
|
Attachment #593654 -
Flags: review?(dvander) → review+
|
|
||
Comment 4•14 years ago
|
||
Comment on attachment 593654 [details] [diff] [review]
patch
[Triage Comment]
Approved for Aurora 12.
Attachment #593654 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
|
|
||
Comment 5•14 years ago
|
||
based on the date of the regressing bug this should not affect anything earlier than Fx12
Blocks: 704387
status1.9.2:
--- → unaffected
status-firefox-esr10:
--- → unaffected
status-firefox11:
--- → unaffected
status-firefox12:
--- → affected
status-firefox13:
--- → affected
tracking-firefox12:
--- → +
tracking-firefox13:
--- → +
Keywords: regression
|
|
Assignee | |
Comment 6•14 years ago
|
||
|
|
||
Comment 7•14 years ago
|
||
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla13
|
|
Assignee | |
Comment 8•14 years ago
|
||
|
|
Assignee | |
Updated•14 years ago
|
Target Milestone: mozilla13 → mozilla12
|
|
Assignee | |
Updated•14 years ago
|
|
Reporter | |
Updated•13 years ago
|
Status: RESOLVED → VERIFIED
|
|
||
Updated•13 years ago
|
Group: core-security
|
|
Reporter | |
Comment 9•12 years ago
|
||
Slow/infinite test, not taking for the test suite.
Flags: in-testsuite-
You need to log in
before you can comment on or make changes to this bug.
Description
•