Closed
Bug 1102578
Opened 11 years ago
Closed 11 years ago
Assertion failure: idx < uint32_t(arrobj->as<TypedObject>().length()), at js/src/vm/SelfHosting.cpp:480
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1102608
| Tracking | Status | |
|---|---|---|
| firefox36 | --- | affected |
People
(Reporter: decoder, Unassigned)
Details
(Whiteboard: [jsbugmon:update])
The following testcase crashes on mozilla-central revision 134d1cfc5c9c (build with --enable-debug --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --target=i686-pc-linux-gnu, run with --fuzzing-safe --thread-count=2 --ion-eager --baseline-eager):
var {
uint8, uint32
} = TypedObject;
function test() {
var Uints = uint32.array(1024);
var Uint8s = uint8.array("\tvar\tx\t=\t1\t" | this || 2);
var uint32s = new Uints();
(function(m) Uint8s.fromPar(uint32s, function(e) e + 1))()
}
test();
Backtrace:
Program terminated with signal SIGSEGV, Segmentation fault.
#0 0x086b43a1 in js::intrinsic_UnsafePutElements (cx=0xa8b3f68, argc=3,
vp=0xff83660c) at js/src/vm/SelfHosting.cpp:480
480 MOZ_ASSERT_IF(arrobj->is<TypedObject>(), idx < uint32_t(arrobj->as<TypedObject>().length()));
#0 0x086b43a1 in js::intrinsic_UnsafePutElements (cx=0xa8b3f68, argc=3, vp=0xff83660c) at js/src/vm/SelfHosting.cpp:480
#1 0xf77be011 in ?? ()
#2 0x0a93cf78 in ?? ()
#3 0xf77b09ef in ?? ()
#4 0x0826a096 in EnterBaseline (cx=0xf160fc7d, cx@entry=0xa8b3f68, data=...) at js/src/jit/BaselineJIT.cpp:110
eax 0x0 0
ebx 0x9596ff4 156856308
ecx 0xf763d88c -144451444
edx 0x0 0
esi 0xf59f9de0 -174088736
edi 0x956a300 156672768
ebp 0xff8365d8 4286801368
esp 0xff836550 4286801232
eip 0x86b43a1 <js::intrinsic_UnsafePutElements(JSContext*, unsigned int, JS::Value*)+1345>
=> 0x86b43a1 <js::intrinsic_UnsafePutElements(JSContext*, unsigned int, JS::Value*)+1345>: movl $0x7b,0x0
0x86b43ab <js::intrinsic_UnsafePutElements(JSContext*, unsigned int, JS::Value*)+1355>: call 0x804a960 <abort@plt>
Marked s-s because the assertion sounds potentially problematic.
|
Reporter | |
Updated•11 years ago
|
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
|
|
Reporter | |
Comment 1•11 years ago
|
||
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/ceca39a1a154
user: Brian Hackett
date: Fri Nov 07 08:37:21 2014 -0700
summary: Bug 1092318 - Remove unsized array typed objects, r=nmatsakis.
This iteration took 573.499 seconds to run.
|
|
Reporter | |
Comment 2•11 years ago
|
||
Needinfo from bhackett based on comment 1.
Flags: needinfo?(bhackett1024)
|
||
Updated•11 years ago
|
Status: NEW → RESOLVED
Closed: 11 years ago
Flags: needinfo?(bhackett1024)
Resolution: --- → DUPLICATE
|
||
Updated•10 years ago
|
Group: core-security → core-security-release
|
||
Updated•9 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•