Created attachment 637477 [details] Test case for shell (run with -n -m -a) The attached test asserts on mozilla-central revision 9bf5e71c5746 (options -m -n -a). S-s because infer failures can be security-critical.
Whiteboard: js-triage-needed → js-triage-needed [jsbugmon:update]
Forgot that JSBugMon can't handle ZIP files yet, will recheck this one manually.
Whiteboard: js-triage-needed [jsbugmon:update] → js-triage-needed
Whiteboard: js-triage-needed → js-triage-needed, [js:t]
Let's assume a controllable inference failure is exploitable, although that could be overly pessimistic.
Any chance Brian Hackett can look at this? Alternatively, does Brian know of a good assignee?
WFM on tip, can someone bisect the fix?
autoBisect shows this is probably related to the following changeset: The first good revision is: changeset: 99045:6cf7aa93994c user: Luke Wagner date: Wed Jun 20 08:57:29 2012 -0700 summary: Bug 765956 - Set Bindings' parent eagerly (r=bhackett)
Sure, that could have fixed it.
Assignee: bhackett1024 → general
Status: NEW → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → WORKSFORME
FIXED by bug 765956, which landed on 12 July 2012.
Resolution: WORKSFORME → FIXED
Can the fix in bug 765956 get backported to the ESR10 branch?
Marking as esr10 affected and esr17 unaffected based on this coming from regressions to bug 663138 and having bug 765956 in FF16.
status-firefox-esr10: --- → affected
status-firefox-esr17: --- → unaffected
There were several patches in bug 765956, and the fix cset above is not the main one. I think we'd need a blame cset rather than just assuming it is bug 663138.
Not worth figuring out if we can safely take parts of this patch in the very last ESR10 release.
status-firefox-esr10: affected → wontfix
You need to log in before you can comment on or make changes to this bug.