Closed
Bug 867466
Opened 11 years ago
Closed 11 years ago
Assertion failure: false (unexpected statement type), at jsreflect.cpp:2178 or Crash on Heap with invalid memory executed
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla22
Tracking | Status | |
---|---|---|
firefox21 | --- | unaffected |
firefox22 | + | fixed |
firefox23 | --- | unaffected |
firefox24 | --- | unaffected |
firefox-esr17 | --- | unaffected |
b2g18 | --- | unaffected |
People
(Reporter: decoder, Assigned: ejpbruel)
References
(Blocks 1 open bug)
Details
(5 keywords, Whiteboard: [adv-main22-] Firefox 22 only)
The following testcase asserts on mozilla-aurora revision 4cf75b25cdc3 (run with --ion-eager): var node = Reflect.parse("module 'foo' {}");
Reporter | ||
Comment 1•11 years ago
|
||
gkw made bisects for this: The first bad revision is: changeset: 128914:ec8547a266b7 user: Eddy Bruel date: Wed Feb 20 20:49:41 2013 +0100 summary: Bug 568953 - Parser support for module declarations; r=jorendorff The first good revision is: changeset: 126958:172651edb28e user: Eddy Bruel date: Tue Apr 02 18:00:49 2013 +0200 summary: Bug 568953 - Added reflection support for module declarations; r=jorendorff The necessary changes need to be backported to mozilla-aurora.
Keywords: crash
Reporter | ||
Updated•11 years ago
|
Flags: needinfo?(ejpbruel)
Updated•11 years ago
|
status-firefox22:
--- → affected
status-firefox23:
--- → affected
Reporter | ||
Comment 2•11 years ago
|
||
This bug is aurora only.
Updated•11 years ago
|
Blocks: harmony:modules
status-b2g18:
--- → unaffected
status-firefox21:
--- → unaffected
status-firefox-esr17:
--- → unaffected
tracking-firefox22:
--- → +
Keywords: regression,
sec-critical
Updated•11 years ago
|
Assignee: general → ejpbruel
Updated•11 years ago
|
Whiteboard: Firefox 22 only
Version: Trunk → 22 Branch
Comment 4•11 years ago
|
||
172651edb28e seems to apply nicely to mozilla-beta (this fix is present on aurora and central), so Eddy, I guess you'll need to fill out the approval-mozilla-beta questionaire to nominate that patch for backport, reproduced here: [Approval Request Comment] Bug caused by (feature/regressing bug #): User impact if declined: Testing completed (on m-c, etc.): Risk to taking this patch (and alternatives if risky): String or IDL/UUID changes made by this patch:
Flags: needinfo?(ejpbruel)
Keywords: checkin-needed
Assignee | ||
Comment 6•11 years ago
|
||
Bug caused by (feature/regressing bug #): 568953 User impact if declined: Makes it possible to crash Firefox by using module syntax Testing completed (on m-c, etc.): m-c Risk to taking this patch (and alternatives if risky): Very low String or IDL/UUID changes made by this patch: None Gary, what flag should I set to complete the process?
Flags: needinfo?(ejpbruel) → needinfo?(gary)
Comment 7•11 years ago
|
||
Due to the patch already being in bugzilla (where the flag is set), I've nominated the flag in bug 568953 comment 104 and duplicated Eddy's comments there. Thanks! Now to wait for approval, then someone can land it on beta.
Flags: needinfo?(gary)
Comment 8•11 years ago
|
||
Please land 172651edb28e to mozilla-beta, approval has already been given in bug 568953 comment 105
Keywords: checkin-needed
Comment 9•11 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/4ec769a499fc
Status: NEW → RESOLVED
Closed: 11 years ago
status-firefox24:
--- → unaffected
Keywords: checkin-needed
Resolution: --- → FIXED
Target Milestone: --- → mozilla22
Updated•11 years ago
|
Whiteboard: Firefox 22 only → [adv-main22-] Firefox 22 only
Updated•11 years ago
|
Group: core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•