Assertion failure: lengthDouble < 2147483647, at vm/SelfHosting.cpp

RESOLVED DUPLICATE of bug 1200108

Status

()

Core
JavaScript Engine
--
critical
RESOLVED DUPLICATE of bug 1200108
3 years ago
3 years ago

People

(Reporter: gkw, Unassigned)

Tracking

(Blocks: 1 bug, {assertion, regression, testcase})

Trunk
assertion, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox43 affected)

Details

(Whiteboard: [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
f = function() {
    yield;
}();
f.length = -1;
Array.prototype.map.call(f, function() {});

asserts js debug shell on m-c changeset 7db14bebae91 with --fuzzing-safe --no-threads --no-ion --no-baseline at Assertion failure: lengthDouble < 2147483647, at vm/SelfHosting.cpp

Configure options:

CC="clang -Qunused-arguments" CXX="clang++ -Qunused-arguments" AR=ar AUTOCONF=/usr/local/Cellar/autoconf213/2.13/bin/autoconf213 sh /Users/skywalker/trees/mozilla-central/js/src/configure --target=x86_64-apple-darwin12.5.0 --enable-debug --enable-nspr-build --enable-more-deterministic --with-ccache --enable-gczeal --enable-debug-symbols --disable-tests

python -u ~/funfuzz/js/compileShell.py -b "--enable-debug --enable-more-deterministic --enable-nspr-build" -r 7db14bebae91

autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/36e7f7148cf8
user:        Jan de Mooij
date:        Tue Aug 25 13:13:02 2015 +0200
summary:     Bug 1195298 - Fix NewDenseArray intrinsic to work when the first argument is a double. r=till

Jan, is bug 1195298 a likely regressor? Locking s-s because Arrays + length scare me.
Flags: needinfo?(jdemooij)
(Reporter)

Comment 1

3 years ago
Created attachment 8654524 [details]
stack

(lldb) bt 5
* thread #1: tid = 0x352c36, 0x0000000100319440 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::intrinsic_NewDenseArray(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 544 at SelfHosting.cpp:301, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x0)
  * frame #0: 0x0000000100319440 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::intrinsic_NewDenseArray(cx=<unavailable>, argc=<unavailable>, vp=<unavailable>) + 544 at SelfHosting.cpp:301
    frame #1: 0x0000000100232192 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::Invoke(JSContext*, JS::CallArgs const&, js::MaybeConstruct) [inlined] js::CallJSNative(cx=0x000000010284c400, native=0x0000000100319220)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 171 at jscntxtinlines.h:235
    frame #2: 0x00000001002320e7 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::Invoke(cx=0x000000010284c400, args=0x00007fff5fbfdfb0, construct=<unavailable>) + 599 at Interpreter.cpp:763
    frame #3: 0x000000010024d4d5 js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`Interpret(cx=0x000000010284c400, state=0x00007fff5fbfe5b0) + 48885 at Interpreter.cpp:3054
    frame #4: 0x000000010024155a js-dbg-64-dm-nsprBuild-darwin-7db14bebae91`js::RunScript(cx=0x000000010284c400, state=0x00007fff5fbfe5b0) + 426 at Interpreter.cpp:704
(lldb)

Comment 2

3 years ago
Note bughunter has seen this in the wild on 11 urls:

Linux 32/64bit:     Assertion failure: lengthDouble < (2147483647)
OSX 64bit:          Assertion failure: lengthDouble < 2147483647
Windows 7 32/64bit: Assertion failure: lengthDouble < 2147483647i32
OS: Mac OS X → All
Hardware: x86_64 → All

Updated

3 years ago
Flags: needinfo?(jdemooij)
See Also: → bug 1200108

Updated

3 years ago
Flags: needinfo?(jdemooij)
Duping forward to bug 1200108.
Group: core-security
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(jdemooij)
Resolution: --- → DUPLICATE
Duplicate of bug: 1200108
You need to log in before you can comment on or make changes to this bug.