Closed
Bug 1335623
Opened 7 years ago
Closed 7 years ago
Assertion failure: !v.isMagic(), at js/src/vm/TypedArrayCommon.h:604
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1335619
| Tracking | Status | |
|---|---|---|
| firefox54 | --- | affected |
People
(Reporter: gkw, Unassigned)
References
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update])
Attachments
(1 file)
|
29.16 KB,
text/plain
|
Details |
The following testcase crashes on mozilla-central revision 1d025ac534a6 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --ion-eager):
// jsfunfuzz-generated
x = [];
// Adapted from randomly chosen test: js/src/tests/ecma_5/String/match-defines-match-elements.js
y = Object.defineProperty(Array.prototype, 1, {
set: function () {}
});
// jsfunfuzz-generated
x.splice(0, 1, y, y);
new Float64Array(x);
Backtrace:
0 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x00000001011e887c js::ElementSpecific<(anonymous namespace)::TypedArrayObjectTemplate<double>, js::UnsharedOps>::valueToNative(JSContext*, JS::Handle<JS::Value>, double*) + 652 (TypedArrayCommon.h:604)
1 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x00000001011eeaa8 js::TypedArrayMethods<js::TypedArrayObject>::initFromIterablePackedArray(JSContext*, JS::Handle<js::TypedArrayObject*>, JS::Handle<js::ArrayObject*>) + 17480 (TypedArrayCommon.h:468)
2 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x0000000101198983 (anonymous namespace)::TypedArrayObjectTemplate<double>::fromArray(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSObject*>) + 1075 (TypedArrayObject.cpp:1340)
3 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x000000010118eaad (anonymous namespace)::TypedArrayObjectTemplate<double>::class_constructor(JSContext*, unsigned int, JS::Value*) + 941 (TypedArrayObject.cpp:768)
4 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x0000000100a0b81e js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 222 (jscntxtinlines.h:263)
5 js-dbg-64-dm-clang-darwin-1d025ac534a6 0x0000000100a17a8a js::CallJSNativeConstructor(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) + 138 (jscntxtinlines.h:295)
/snip
For detailed crash information, see attachment.
Setting s-s as a start because TypedArrays are involved.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
Probably related to bug 1335619?
|
|
Reporter | |
Comment 3•7 years ago
|
||
autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/6aae92d8aa00 user: André Bargull date: Thu Jan 26 12:19:01 2017 -0800 summary: Bug 1282104 - Part 2: Remove dense fast path in Array.prototype methods which didn't check for inherited accessors. r=jandem André, is bug 1282104 a likely regressor?
Blocks: 1282104
Flags: needinfo?(andrebargull)
|
||
Comment 4•7 years ago
|
||
(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #2) > Probably related to bug 1335619? Yes, they're both the same issue.
Status: NEW → RESOLVED
Closed: 7 years ago
Flags: needinfo?(andrebargull)
Resolution: --- → DUPLICATE
|
||
Updated•5 years ago
|
Group: javascript-core-security
You need to log in
before you can comment on or make changes to this bug.
Description
•