Closed Bug 1263139 Opened 4 years ago Closed 4 years ago

Assertion failure: args[1].isString() || args[1].isUndefined(), at js/src/vm/SelfHosting.cpp:1569 with enableMatchFlagArgument

Categories

(Core :: JavaScript Engine, defect, critical)

x86_64
Linux
defect
Not set
critical

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox48 --- fixed

People

(Reporter: decoder, Assigned: arai)

References

(Blocks 1 open bug)

Details

(Keywords: assertion, regression, testcase, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision 06678484909c (build with --enable-optimize --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug, run with --fuzzing-safe --ion-offthread-compile=off):

enableMatchFlagArgument();
var BSL = "".replace(BSL, "", isFinite)


Backtrace:

Program received signal SIGSEGV, Segmentation fault.
0x0000000000adc26f in intrinsic_RegExpCreate (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:1569
#0  0x0000000000adc26f in intrinsic_RegExpCreate (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:1569
#1  0x0000000000a905a2 in js::CallJSNative (cx=0x7ffff6908000, native=0xadc210 <intrinsic_RegExpCreate(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:235
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7443
rax	0x0	0
rbx	0x7ffff6908000	140737330053120
rcx	0x7ffff6ca588d	140737333844109
rdx	0x0	0
rsi	0x7ffff6f7a9d0	140737336814032
rdi	0x7ffff6f791c0	140737336807872
rbp	0x7fffffffd050	140737488343120
rsp	0x7fffffffd050	140737488343120
r8	0x7ffff7fe77c0	140737354037184
r9	0x6372732f736a2f6c	7165916604736876396
r10	0x7fffffffce10	140737488342544
r11	0x7ffff6c27ee0	140737333329632
r12	0x7fffffffd4e0	140737488344288
r13	0x0	0
r14	0x7fffffffd080	140737488343168
r15	0xadc210	11387408
rip	0xadc26f <intrinsic_RegExpCreate(JSContext*, unsigned int, JS::Value*)+95>
=> 0xadc26f <intrinsic_RegExpCreate(JSContext*, unsigned int, JS::Value*)+95>:	movl   $0x621,0x0
   0xadc27a <intrinsic_RegExpCreate(JSContext*, unsigned int, JS::Value*)+106>:	callq  0x4ab630 <abort()>
In previous C++ code it did following, so added ToString call to each function.

>             if (flagArgumentEnabled) {
>                 opt = ToString<CanGC>(cx, args[optarg]);
>                 if (!opt)
>                     return false;
>             }

This bug cannot be hit with default configuration on nightly, as flags argument is disabled on nightly, and the testcase needs testing function to enable it (that is exposed only to JS shell and chrome-priv code in browser)

Will remove all those flags things in next cycle.
Assignee: nobody → arai.unmht
Attachment #8739417 - Flags: review?(till)
Comment on attachment 8739417 [details] [diff] [review]
Apply ToString to non-standard flags argument of String.prototype.{match,search,replace}.

Review of attachment 8739417 [details] [diff] [review]:
-----------------------------------------------------------------

r=me
Attachment #8739417 - Flags: review?(till) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/cc7cbfe427b24c466387524048a000c69ff8d840
Bug 1263139 - Apply ToString to non-standard flags argument of String.prototype.{match,search,replace}. r=till
https://hg.mozilla.org/mozilla-central/rev/cc7cbfe427b2
https://hg.mozilla.org/mozilla-central/rev/4ed4a5de51d0
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
You need to log in before you can comment on or make changes to this bug.