Closed
Bug 785776
Opened 10 years ago
Closed 10 years ago
"Assertion failure: objArrayType >= 0 && objArrayType < TypedArray::TYPE_MAX,"
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
VERIFIED
FIXED
mozilla18
Tracking | Status | |
---|---|---|
firefox15 | --- | unaffected |
firefox16 | --- | fixed |
firefox17 | --- | fixed |
firefox18 | --- | fixed |
firefox-esr10 | --- | unaffected |
People
(Reporter: gkw, Assigned: bhackett1024)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,ignore][advisory-tracking-][qa?])
Attachments
(2 files)
4.78 KB,
text/plain
|
Details | |
741 bytes,
patch
|
dvander
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
|
Details | Diff | Splinter Review |
function f([x]){}f(DataView.prototype) asserts js debug shell on m-c changeset e08a67884b9b with -m, -n and -a at Assertion failure: objArrayType >= 0 && objArrayType < TypedArray::TYPE_MAX,
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
Comment 1•10 years ago
|
||
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: 97780:195ffaea56ea user: Brian Hackett date: Wed Jun 27 07:10:50 2012 -0700 summary: Specialize big typed arrays with singleton types, bug 762561. r=dvander
![]() |
Reporter | |
Comment 2•10 years ago
|
||
Brian, bug 762561 might be related according the bisection result in comment 1.
Blocks: 762561
Assignee | ||
Comment 3•10 years ago
|
||
DataView objects were being treated like typed arrays when setting bits on the object's type.
Assignee: general → bhackett1024
Attachment #656587 -
Flags: review?(dvander)
![]() |
||
Updated•10 years ago
|
Attachment #656587 -
Flags: review?(dvander) → review+
Assignee | ||
Updated•10 years ago
|
Group: core-security
Assignee | ||
Comment 4•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/b497e2c28be2
Assignee | ||
Comment 5•10 years ago
|
||
Comment on attachment 656587 [details] [diff] [review] patch [Approval Request Comment] Bug caused by (feature/regressing bug #): 762561 User impact if declined: Incorrect type information which is potentially exploitable. Risk to taking this patch (and alternatives if risky): None
Attachment #656587 -
Flags: approval-mozilla-beta?
Attachment #656587 -
Flags: approval-mozilla-aurora?
Updated•10 years ago
|
status-firefox-esr10:
--- → unaffected
status-firefox15:
--- → unaffected
status-firefox16:
--- → affected
status-firefox17:
--- → affected
status-firefox18:
--- → affected
Updated•10 years ago
|
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]
Comment 6•10 years ago
|
||
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1b0b56afa33a).
Comment 7•10 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/b497e2c28be2
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Updated•10 years ago
|
Status: RESOLVED → VERIFIED
Comment 8•10 years ago
|
||
JSBugMon: This bug has been automatically verified fixed.
Comment 9•10 years ago
|
||
Comment on attachment 656587 [details] [diff] [review] patch No risk patch for a possibly exploitable issue. Would be good to put a security rating on this bug, if you get the chance. Approving for branches.
Attachment #656587 -
Flags: approval-mozilla-beta?
Attachment #656587 -
Flags: approval-mozilla-beta+
Attachment #656587 -
Flags: approval-mozilla-aurora?
Attachment #656587 -
Flags: approval-mozilla-aurora+
Comment 10•10 years ago
|
||
Did this ever land?
Comment 11•10 years ago
|
||
Looks like no. https://hg.mozilla.org/releases/mozilla-beta/rev/fd5e4a57e184 https://hg.mozilla.org/releases/mozilla-aurora/rev/ffa16afeac0f
Comment 12•10 years ago
|
||
Thanks mccr8!
Updated•10 years ago
|
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][advisory-tracking-]
Comment 13•10 years ago
|
||
Does this need QA verification given comment 8?
Whiteboard: [jsbugmon:update,ignore][advisory-tracking-] → [jsbugmon:update,ignore][advisory-tracking-][qa?]
Updated•10 years ago
|
Group: core-security
Keywords: sec-critical
Comment 14•10 years ago
|
||
Automatically extracted testcase for this bug was committed: https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in
before you can comment on or make changes to this bug.
Description
•