Closed
Bug 1006065
Opened 10 years ago
Closed 10 years ago
Assertion failure: obj->is<ArrayObject>() loading a washingtonpost.com blog
Categories
(Core :: JavaScript Engine: JIT, defect)
Core
JavaScript Engine: JIT
Tracking
()
RESOLVED
FIXED
mozilla32
| Tracking | Status | |
|---|---|---|
| firefox29 | --- | unaffected |
| firefox30 | --- | affected |
| firefox31 | --- | fixed |
| firefox32 | --- | fixed |
People
(Reporter: dbaron, Assigned: jandem)
References
Details
(Keywords: assertion)
Attachments
(2 files)
|
40.33 KB,
text/plain; charset=UTF-8
|
Details | |
|
1.30 KB,
patch
|
h4writer
:
review+
Sylvestre
:
approval-mozilla-aurora+
|
Details | Diff | Splinter Review |
I just crashed while loading http://www.washingtonpost.com/blogs/the-fix/wp/2014/05/05/martin-omalley-did-a-reddit-ama-it-didnt-go-very-well/ in a debug build on 64-bit Linux. Running a build with SourceStamp=d9e2937142c7, which actually means I was running mozilla-central revision cfde3603b020 plus my patch queue as of its revision 0ede7103166b pushed up to the patch named ae2b85aaa9f3. It crashed with the following assertion failure: Assertion failure: obj->is<ArrayObject>(), at /home/dbaron/builds/ssd/mozilla-central/mozilla/js/src/jit/VMFunctions.cpp:368
|
||
Updated•10 years ago
|
Component: JavaScript Engine → JavaScript Engine: JIT
|
Assignee | |
Comment 1•10 years ago
|
||
Yeah, this assert is bogus. When Ion optimizes splice calls, it doesn't check that the object is an array at compile time (and it doesn't have to), so at runtime we can get non-array objects.
A bit surprising the fuzzers didn't find this too, here's a simple shell testcase:
function f() {
var o = {splice: [].splice};
for (var i=0; i<2000; i++) {
o.splice(0, 1);
}
}
f();Flags: needinfo?(jdemooij)
|
|
Assignee | |
Comment 2•10 years ago
|
||
Removes the assert and adds a testcase, since apparently our tests don't cover this.
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Attachment #8417984 -
Flags: review?(hv1989)
Flags: needinfo?(jdemooij)
|
|
Assignee | |
Updated•10 years ago
|
OS: Linux → All
Hardware: x86_64 → All
|
|
Assignee | |
Updated•10 years ago
|
Blocks: 939115
status-firefox29:
--- → unaffected
status-firefox30:
--- → affected
status-firefox31:
--- → affected
|
||
Comment 3•10 years ago
|
||
Comment on attachment 8417984 [details] [diff] [review] Patch Review of attachment 8417984 [details] [diff] [review]: ----------------------------------------------------------------- Yeah indeed a bogus assert.
Attachment #8417984 -
Flags: review?(hv1989) → review+
|
||
Comment 4•10 years ago
|
||
also different site is also http://docs.openstack.org/havana/install-guide/install/apt-debian/content/ - run with bughunter into it
|
|
Assignee | |
Comment 5•10 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/83d8155eba84
|
|
Assignee | |
Comment 6•10 years ago
|
||
Comment on attachment 8417984 [details] [diff] [review] Patch [Approval Request Comment] Bug caused by (feature/regressing bug #): Bug 939115. User impact if declined: Bogus assert in debug builds. Testing completed (on m-c, etc.): On m-i. Risk to taking this patch (and alternatives if risky): None; just removes a (debug-only) assert so makes no difference for release builds. String or IDL/UUID changes made by this patch: None.
Attachment #8417984 -
Flags: approval-mozilla-aurora?
https://hg.mozilla.org/mozilla-central/rev/83d8155eba84
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla32
|
||
Updated•10 years ago
|
Attachment #8417984 -
Flags: approval-mozilla-aurora? → approval-mozilla-aurora+
You need to log in
before you can comment on or make changes to this bug.
Description
•