Assertion failure: INT_FITS_IN_JSID(i), at dist/include/js/Id.h

RESOLVED FIXED in Firefox 41

Status

()

Core
JavaScript Engine
--
critical
RESOLVED FIXED
3 years ago
3 years ago

People

(Reporter: gkw, Assigned: bhackett)

Tracking

(Blocks: 2 bugs, {assertion, regression, testcase})

Trunk
mozilla41
x86_64
Mac OS X
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox41 fixed)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(2 attachments)

(Reporter)

Description

3 years ago
x = Array(4294967295);
x[1] = 0;
Array.prototype.shift.call(x);

asserts js debug shell on m-c changeset f8d21278244b with --fuzzing-safe --no-threads --no-ion at Assertion failure: INT_FITS_IN_JSID(i), at dist/include/js/Id.h.

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/fuzzing/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r f8d21278244b

=== Treeherder Build Bisection Results by autoBisect ===

The "good" changeset has the timestamp "20150519065123" and the hash "f7054968c36b".
The "bad" changeset has the timestamp "20150519065830" and the hash "1410ca139039".

Likely regression window: https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=f7054968c36b&tochange=1410ca139039

Brian, is bug 1163091 a likely regressor?
Flags: needinfo?(bhackett1024)
(Reporter)

Comment 1

3 years ago
Created attachment 8613750 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x52348, 0x000000010006f7e0 js-dbg-64-dm-nsprBuild-darwin-f8d21278244b`js::array_shift(JSContext*, unsigned int, JS::Value*) + 52 at Id.h:103, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x000000010006f7e0 js-dbg-64-dm-nsprBuild-darwin-f8d21278244b`js::array_shift(JSContext*, unsigned int, JS::Value*) + 52 at Id.h:103
    frame #1: 0x000000010006f7ac js-dbg-64-dm-nsprBuild-darwin-f8d21278244b`js::array_shift(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 908 at jsarray.cpp:2172
    frame #2: 0x00000001001f23cf js-dbg-64-dm-nsprBuild-darwin-f8d21278244b`js::Invoke(JSContext*, JS::CallArgs, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x00000001028a5180, native=0x000000010006f420)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 176 at jscntxtinlines.h:235
    frame #3: 0x00000001001f231f js-dbg-64-dm-nsprBuild-darwin-f8d21278244b`js::Invoke(cx=0x00000001028a5180, args=CallArgs at 0x00007fff5fbfdfa0, construct=<unavailable>) + 447 at Interpreter.cpp:727
    frame #4: 0x00000001007af5a3 js-dbg-64-dm-nsprBuild-darwin-f8d21278244b`js::fun_call(cx=0x00000001028a5180, argc=<unavailable>, vp=<unavailable>) + 339 at jsfun.cpp:1216
(lldb)
(Reporter)

Comment 2

3 years ago
The top line of the testcase in comment 0 came from:

js/src/tests/js1_5/Array/regress-157652.js
Blocks: 1100132
(Assignee)

Comment 3

3 years ago
Created attachment 8615725 [details] [diff] [review]
patch
Assignee: nobody → bhackett1024
Flags: needinfo?(bhackett1024)
Attachment #8615725 - Flags: review?(jdemooij)

Updated

3 years ago
Attachment #8615725 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/mozilla-central/rev/b476ead4954b
Status: NEW → RESOLVED
Last Resolved: 3 years ago
status-firefox41: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
You need to log in before you can comment on or make changes to this bug.