1032086 - Assertion failure: v.isString() || v.isObject(), at vm/TypedArrayObject.cpp

Status: RESOLVED DUPLICATE of bug 1032208

(Core :: JavaScript Engine, defect)

Description

[Gary Kwong [:gkw] [:nth10sd] (NOT official MoCo now)]

Attachment: stack

x = [];
Array.prototype.push.call(x, Symbol.iterator);
Int8Array(x);

asserts js debug shell on m-c changeset b6408c32a170 without any CLI arguments at Assertion failure: v.isString() || v.isObject(), at vm/TypedArrayObject.cpp

My configure flags are:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-optimize --enable-profiling --enable-gczeal --enable-debug-symbols --disable-tests --with-ccache --enable-threadsafe <other NSPR options>

=== Tinderbox Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20140623115045" and the hash "611283da02bf".
The "bad" changeset has the timestamp "20140623122048" and the hash "cd2894ed2c76".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=611283da02bf&tochange=cd2894ed2c76

(s-s because this might involve TypedArrays, and it is in the assertion message.)

Jason, is bug 645416 a likely regressor?

Comment 1

[Boris Zbarsky [:bzbarsky]]

valueToNative does a canConvertInfallibly() test (which checks for number/boolean/null/undefined) and if false asserts object-or-string and then does either StringToNumber or ToNumber.  In this case v is a symbol, of course....

But the ToNumber path is generic, I'd think, so no real need to assert things.  Or rather we can just adjust the assert to assert object-or-symbol-or-string.  I don't think there's a security bug here.

This is an instance of the whole "we added a new type for the first time in forever" problem...