Closed Bug 1452583 Opened 4 years ago Closed 4 years ago

Assertion failure: args.length() == 1, at js/src/shell/js.cpp:7720

Categories

(Core :: JavaScript Engine, defect, P3)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla61
Tracking Flags:
Tracking Status
firefox-esr52 --- unaffected
firefox-esr60 --- unaffected
firefox59 --- unaffected
firefox60 --- unaffected
firefox61 --- fixed

People

(Reporter: decoder, Assigned: jorendorff)

Details

(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 file)

Demote bogus assertion in dom_genericSetter to runtime check
1.08 KB, patch
jandem
: review+
Details | Diff | Splinter Review 
The following testcase crashes on mozilla-central revision 277e1562ee9c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe):

function check(obj) {
    let proto = Object.getPrototypeOf(obj);
    let props = Object.getOwnPropertyNames(proto);
    for (let prop of props) {
        let desc = Object.getOwnPropertyDescriptor(proto, prop);
        try {
            desc.set.call(obj);
        } catch (e) {}
    }
}
check(FakeDOMObject(14));


Backtrace:

received signal SIGSEGV, Segmentation fault.
0x000000000045dc58 in dom_genericSetter (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:7720
#0  0x000000000045dc58 in dom_genericSetter (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:7720
#1  0x0000000000571a5e in js::CallJSNative (cx=0x7ffff5f15000, native=0x45db40 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290
#2  0x00000000005663df in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467
#3  0x00000000005667bd in InternalCall (cx=cx@entry=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516
#4  0x0000000000566940 in js::Call (cx=cx@entry=0x7ffff5f15000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535
#5  0x0000000000b59568 in js::fun_call (cx=0x7ffff5f15000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/JSFunction.cpp:1182
#6  0x0000000000571a5e in js::CallJSNative (cx=0x7ffff5f15000, native=0xb592f0 <js::fun_call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290
[...]
#20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9133
rax	0x0	0
rbx	0x7fffffffc8a0	140737488341152
rcx	0x7ffff6c282ad	140737333330605
rdx	0x0	0
rsi	0x7ffff6ef7770	140737336276848
rdi	0x7ffff6ef6540	140737336272192
rbp	0x7fffffffc660	140737488340576
rsp	0x7fffffffc5e0	140737488340448
r8	0x7ffff6ef7770	140737336276848
r9	0x7ffff7fe4780	140737354024832
r10	0x58	88
r11	0x7ffff6b9e7a0	140737332766624
r12	0x7ffff5f15000	140737319620608
r13	0x45db40	4578112
r14	0x7fffffffc680	140737488340608
r15	0x7fffffffc900	140737488341248
rip	0x45dc58 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)+280>
=> 0x45dc58 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)+280>:	movl   $0x0,0x0
   0x45dc63 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)+291>:	ud2


This looks like a shell-only problem.
D'oh.
Flags: needinfo?(jorendorff)
Priority: -- → P3
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Flags: needinfo?(jorendorff)
Attachment #8967855 - Flags: review?(jdemooij) → review+
https://hg.mozilla.org/integration/mozilla-inbound/rev/82e125c825cef4f087473e9637a8d5f11c9680d5
Bug 1452583 - Demote bogus assertion in dom_genericSetter to runtime check. r=jandem.
https://hg.mozilla.org/mozilla-central/rev/82e125c825ce
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox61: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
You need to log in before you can comment on or make changes to this bug.