Assertion failure: [infer failure] Missing type in object [0xf6c00240] length: int, at jsinfer.cpp:325

RESOLVED FIXED

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
6 years ago
3 years ago

People

(Reporter: decoder, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, sec-critical, testcase})

Trunk
x86
Linux
assertion, sec-critical, testcase
Points:
---

Firefox Tracking Flags

(firefox-esr10 wontfix, firefox-esr17 unaffected, b2g18 unaffected)

Details

(Whiteboard: js-triage-needed, [js:t])

Attachments

(1 attachment)

(Reporter)

Description

6 years ago
Created attachment 637477 [details]
Test case for shell (run with -n -m -a)

The attached test asserts on mozilla-central revision 9bf5e71c5746 (options -m -n -a).

S-s because infer failures can be security-critical.
(Reporter)

Updated

6 years ago
Whiteboard: js-triage-needed → js-triage-needed [jsbugmon:update]
(Reporter)

Comment 1

6 years ago
Forgot that JSBugMon can't handle ZIP files yet, will recheck this one manually.
Whiteboard: js-triage-needed [jsbugmon:update] → js-triage-needed
Whiteboard: js-triage-needed → js-triage-needed, [js:t]
Let's assume a controllable inference failure is exploitable, although that could be overly pessimistic.
Keywords: sec-critical
Assignee: general → nihsanullah

Comment 3

6 years ago
Any chance Brian Hackett can look at this? Alternatively, does Brian know of a good assignee?
Assignee: nihsanullah → bhackett1024
WFM on tip, can someone bisect the fix?
(Reporter)

Comment 5

6 years ago
autoBisect shows this is probably related to the following changeset:

The first good revision is:
changeset:   99045:6cf7aa93994c
user:        Luke Wagner
date:        Wed Jun 20 08:57:29 2012 -0700
summary:     Bug 765956 - Set Bindings' parent eagerly (r=bhackett)
Flags: needinfo?(bhackett1024)
Sure, that could have fixed it.
Assignee: bhackett1024 → general
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → WORKSFORME
FIXED by bug 765956, which landed on 12 July 2012.
Resolution: WORKSFORME → FIXED
Can the fix in bug 765956 get backported to the ESR10 branch?
Marking as esr10 affected and esr17 unaffected based on this coming from regressions to bug 663138 and having bug 765956 in FF16.
status-firefox-esr10: --- → affected
status-firefox-esr17: --- → unaffected
There were several patches in bug 765956, and the fix cset above is not the main one.  I think we'd need a blame cset rather than just assuming it is bug 663138.
Not worth figuring out if we can safely take parts of this patch in the very last ESR10 release.
status-firefox-esr10: affected → wontfix
status-b2g18: --- → unaffected
Group: core-security
You need to log in before you can comment on or make changes to this bug.