Closed
Bug 1199935
Opened 9 years ago
Closed 9 years ago
Assertion failure: lengthDouble < 2147483647, at vm/SelfHosting.cpp
Categories
(Core :: JavaScript Engine, defect)
Core
JavaScript Engine
Tracking
()
RESOLVED
DUPLICATE
of bug 1200108
| Tracking | Status | |
|---|---|---|
| firefox43 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
4.95 KB,
text/plain
|
Details |
f = function() {
yield;
}();
f.length = -1;
Array.prototype.map.call(f, function() {});
asserts js debug shell on m-c changeset 7db14bebae91 with --fuzzing-safe --no-threads --no-ion --no-baseline at Assertion failure: lengthDouble < 2147483647, at vm/SelfHosting.cpp
Configure options:
CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests
python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7db14bebae91
autoBisect shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/36e7f7148cf8
user: Jan de Mooij
date: Tue Aug 25 13:13:02 2015 +0200
summary: Bug 1195298 - Fix NewDenseArray intrinsic to work when the first argument is a double. r=till
Jan, is bug 1195298 a likely regressor? Locking s-s because Arrays + length scare me.
Flags: needinfo?(jdemooij)
|
Reporter | |
Comment 1•9 years ago
|
||
(lldb) bt 5
* thread #1: tid = 0x352c36, 0x0000000100319440 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::intrinsic_NewDenseArray(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 544 at SelfHosting.cpp:301, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
* frame #0: 0x0000000100319440 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::intrinsic_NewDenseArray(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 544 at SelfHosting.cpp:301
frame #1: 0x0000000100232192 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x000000010284c400, native=0x0000000100319220)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 171 at jscntxtinlines.h:235
frame #2: 0x00000001002320e7 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::Invoke(cx=0x000000010284c400, args=0x00007fff5fbfdfb0, construct=<unavailable>) + 599 at Interpreter.cpp:763
frame #3: 0x000000010024d4d5 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`Interpret(cx=0x000000010284c400, state=0x00007fff5fbfe5b0) + 48885 at Interpreter.cpp:3054
frame #4: 0x000000010024155a js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::RunScript(cx=0x000000010284c400, state=0x00007fff5fbfe5b0) + 426 at Interpreter.cpp:704
(lldb)
|
||
Comment 2•9 years ago
|
||
Note bughunter has seen this in the wild on 11 urls:
Linux 32/64bit: Assertion failure: lengthDouble < (2147483647)
OSX 64bit: Assertion failure: lengthDouble < 2147483647
Windows 7 32/64bit: Assertion failure: lengthDouble < 2147483647i32
OS: Mac OS X → All
Hardware: x86_64 → All
|
||
Updated•9 years ago
|
Flags: needinfo?(jdemooij)
|
|
||
Comment 3•9 years ago
|
||
Duping forward to bug 1200108.
Group: core-security
Status: NEW → RESOLVED
Closed: 9 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•