Assertion failure: slot.toObject().is<PluralRulesObject>(), at js/src/builtin/Intl.cpp:3504

RESOLVED FIXED in Firefox 54

Status

()

Core
JavaScript: Internationalization API
--
critical
RESOLVED FIXED
a year ago
a year ago

People

(Reporter: decoder, Assigned: anba)

Tracking

(Blocks: 1 bug, 4 keywords)

Trunk
mozilla54
x86_64
Linux
assertion, jsbugmon, regression, testcase
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(firefox52 unaffected, firefox53 unaffected, firefox54 fixed)

Details

(Whiteboard: [fuzzblocker] [jsbugmon:update])

Attachments

(1 attachment)

(Reporter)

Description

a year ago
The following testcase crashes on mozilla-central revision 8dbe89935366 (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off min.js):

addIntlExtras(Intl);
addIntlExtras(Intl);


Backtrace:

 received signal SIGSEGV, Segmentation fault.
0x0000000000572468 in js::GlobalObject::addPluralRulesConstructor (cx=cx@entry=0x7ffff6946000, intl=...) at js/src/builtin/Intl.cpp:3504
#0  0x0000000000572468 in js::GlobalObject::addPluralRulesConstructor (cx=cx@entry=0x7ffff6946000, intl=...) at js/src/builtin/Intl.cpp:3504
#1  0x000000000057264a in js::AddPluralRulesConstructor (cx=cx@entry=0x7ffff6946000, intl=..., intl@entry=...) at js/src/builtin/Intl.cpp:3523
#2  0x00000000004490eb in AddIntlExtras (cx=0x7ffff6946000, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:913
#3  0x000000000053512d in js::CallJSNative (cx=cx@entry=0x7ffff6946000, native=0x449000 <AddIntlExtras(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/jscntxtinlines.h:239
[...]
#16 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:7960


Marking fuzzblocker as this is happening frequently.

Updated

a year ago
Whiteboard: [jsbugmon:update,bisect][fuzzblocker] → [fuzzblocker] [jsbugmon:update]

Comment 1

a year ago
JSBugMon: Bisection requested, result:
autoBisect shows this is probably related to the following changeset:

The first bad revision is:
changeset:   https://hg.mozilla.org/mozilla-central/rev/a67ac2fe858f
user:        André Bargull
date:        Thu Jan 26 04:56:40 2017 -0800
summary:     Bug 1332604 - Part 1: Change Intl prototypes to plain objects. r=Waldo

This iteration took 254.397 seconds to run.
(Assignee)

Updated

a year ago
Assignee: nobody → andrebargull
(Assignee)

Updated

a year ago
Component: JavaScript Engine → JavaScript: Internationalization API
(Assignee)

Comment 2

a year ago
Created attachment 8831418 [details] [diff] [review]
bug1334573.patch
Attachment #8831418 - Flags: review?(jwalden+bmo)
Comment on attachment 8831418 [details] [diff] [review]
bug1334573.patch

Review of attachment 8831418 [details] [diff] [review]:
-----------------------------------------------------------------

Ugh.
Attachment #8831418 - Flags: review?(jwalden+bmo) → review+
(Assignee)

Updated

a year ago
Keywords: checkin-needed

Comment 4

a year ago
Pushed by cbook@mozilla.com:
https://hg.mozilla.org/integration/mozilla-inbound/rev/58e48aa02dce
Remove assertion that Intl.PluralRules.prototype is an Intl.PluralRules instance. r=Waldo
Keywords: checkin-needed

Comment 5

a year ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/58e48aa02dce
Status: NEW → RESOLVED
Last Resolved: a year ago
status-firefox54: affected → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla54
Blocks: 1332604
status-firefox52: --- → unaffected
status-firefox53: --- → unaffected
Depends on: 1336950
You need to log in before you can comment on or make changes to this bug.