Closed
Bug 1023145
Opened 11 years ago
Closed 11 years ago
Assertion failure: args[0].isObject(), at vm/SelfHosting.cpp:522 or Crash [@ js::intrinsic_UnsafeGetReservedSlot] with SIMD
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
FIXED
mozilla33
| Tracking | Status | |
|---|---|---|
| firefox33 | --- | affected |
People
(Reporter: decoder, Assigned: bbouvier)
Details
(Keywords: assertion, crash, testcase, Whiteboard: [jsbugmon:update])
Crash Data
Attachments
(2 files, 2 obsolete files)
|
1.09 KB,
text/plain
|
Details | |
|
2.80 KB,
patch
|
till
:
review+
|
Details | Diff | Splinter Review |
The following testcase asserts on mozilla-central revision 9dc0ffca10f4 (run with --fuzzing-safe):
delete Object.prototype.__proto__;
var int32x4 = SIMD.int32x4;
var Array = int32x4.array(1);
var array = new Array([int32x4(1, 2, 3, 4)]);
|
Reporter | |
Comment 1•11 years ago
|
||
The crash seems like a null-deref, needinfo on Niko because it's SIMD-related.
Crash Signature: [@ js::intrinsic_UnsafeGetReservedSlot]
status-firefox33:
--- → affected
Flags: needinfo?(nmatsakis)
Keywords: crash
Whiteboard: [jsbugmon:update,bisect]
|
|
Reporter | |
Comment 2•11 years ago
|
||
|
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 3•11 years ago
|
||
JSBugMon: Bisection requested, result:
=== Tinderbox Build Bisection Results by autoBisect ===
The "good" changeset has the timestamp "20140607030736" and the hash "f56234ba7ec7".
The "bad" changeset has the timestamp "20140607033236" and the hash "731411eebd0a".
Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f56234ba7ec7&tochange=731411eebd0a
|
|
Reporter | |
Comment 4•11 years ago
|
||
Attachment #8437578 -
Attachment is obsolete: true
|
|
Reporter | |
Comment 5•11 years ago
|
||
Attachment #8437618 -
Attachment is obsolete: true
|
||
Comment 6•11 years ago
|
||
bbouvier, can you take this? It's happening because builtin/TypedObject.js contains this:
function TypedObjectTypeDescr(typedObj) {
return TYPROTO_DESCR(typedObj.__proto__);
}
but user scripts can delete Object.prototype.__proto__. The fix is to declare
var std_Object_getPrototypeOf = Object.getPrototypeOf;
in Utilities.js, and use that. Kind of surprising we don't have it already.
Flags: needinfo?(benj)
|
Assignee | |
Comment 7•11 years ago
|
||
Thanks jorendorff for the needinfo! The fix you've suggested works perfectly.
Assignee: nobody → benj
Status: NEW → ASSIGNED
Attachment #8452972 -
Flags: review?(till)
Flags: needinfo?(nmatsakis)
Flags: needinfo?(benj)
|
||
Comment 8•11 years ago
|
||
Comment on attachment 8452972 [details] [diff] [review]
Patch + test
Review of attachment 8452972 [details] [diff] [review]:
-----------------------------------------------------------------
Surprising we didn't have that indeed!
Attachment #8452972 -
Flags: review?(till) → review+
|
|
Assignee | |
Comment 9•11 years ago
|
||
|
||
Comment 10•11 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla33
You need to log in
before you can comment on or make changes to this bug.
Description
•