"Assertion failure: objArrayType >= 0 && objArrayType < TypedArray::TYPE_MAX,"

VERIFIED FIXED in Firefox 16

Status

()

Product:
Core
Component:
JavaScript Engine
Type:
defect
Importance:
--
critical
Status:
VERIFIED FIXED
Reported:
7 years ago
Modified:
6 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks 1 bug, 4 keywords)

Version:
Trunk
Target:
mozilla18
Platform:
x86_64
macOS
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox15 unaffected, firefox16 fixed, firefox17 fixed, firefox18 fixed, firefox-esr10 unaffected)

Details

(Whiteboard: [jsbugmon:update,ignore][advisory-tracking-][qa?])

Attachments

(2 attachments)

stack
4.78 KB, text/plain
Details
patch
741 bytes, patch
dvander
: review+
akeybl
: approval-mozilla-aurora+
akeybl
: approval-mozilla-beta+
Details | Diff | Splinter Review
Reporter

Description

7 years ago
Posted file stack 
function f([x]){}f(DataView.prototype)

asserts js debug shell on m-c changeset e08a67884b9b with -m, -n and -a at Assertion failure: objArrayType >= 0 && objArrayType < TypedArray::TYPE_MAX,
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]

Comment 1

7 years ago 
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   97780:195ffaea56ea
user:        Brian Hackett
date:        Wed Jun 27 07:10:50 2012 -0700
summary:     Specialize big typed arrays with singleton types, bug 762561. r=dvander
 Reporter

Comment 2

7 years ago 
Brian, bug 762561 might be related according the bisection result in comment 1.
Blocks: 762561
 Assignee

Comment 3

7 years ago
Posted patch patchSplinter Review 
DataView objects were being treated like typed arrays when setting bits on the object's type.
Assignee: general → bhackett1024
Attachment #656587 - Flags: review?(dvander)
Attachment #656587 - Flags: review?(dvander) → review+
 Assignee

Updated

7 years ago
Group: core-security
 Assignee

Comment 5

7 years ago 
Comment on attachment 656587 [details] [diff] [review]
patch

[Approval Request Comment]
Bug caused by (feature/regressing bug #): 762561
User impact if declined: Incorrect type information which is potentially exploitable.
Risk to taking this patch (and alternatives if risky): None
Attachment #656587 - Flags: approval-mozilla-beta?
Attachment #656587 - Flags: approval-mozilla-aurora?
Whiteboard: [jsbugmon:update] → [jsbugmon:update,ignore]

Comment 6

7 years ago 
JSBugMon: The testcase found in this bug no longer reproduces (tried revision 1b0b56afa33a).

Comment 7

7 years ago 
https://hg.mozilla.org/mozilla-central/rev/b497e2c28be2
Status: NEW → RESOLVED
Last Resolved: 7 years ago
status-firefox18: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla18
Status: RESOLVED → VERIFIED

Comment 8

7 years ago 
JSBugMon: This bug has been automatically verified fixed.

Comment 9

7 years ago 
Comment on attachment 656587 [details] [diff] [review]
patch

No risk patch for a possibly exploitable issue. Would be good to put a security rating on this bug, if you get the chance. Approving for branches.
Attachment #656587 - Flags: approval-mozilla-beta?
Attachment #656587 - Flags: approval-mozilla-beta+
Attachment #656587 - Flags: approval-mozilla-aurora?
Attachment #656587 - Flags: approval-mozilla-aurora+

Comment 10

7 years ago 
Did this ever land?

Comment 12

7 years ago 
Thanks mccr8!
Whiteboard: [jsbugmon:update,ignore] → [jsbugmon:update,ignore][advisory-tracking-]

Comment 13

7 years ago 
Does this need QA verification given comment 8?
Whiteboard: [jsbugmon:update,ignore][advisory-tracking-] → [jsbugmon:update,ignore][advisory-tracking-][qa?]
Group: core-security
Keywords: sec-critical

Comment 14

6 years ago 
Automatically extracted testcase for this bug was committed:

https://hg.mozilla.org/mozilla-central/rev/efaf8960a929
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.