Closed
Bug 1452583
Opened 6 years ago
Closed 6 years ago
Assertion failure: args.length() == 1, at js/src/shell/js.cpp:7720
Categories
(Core :: JavaScript Engine, defect, P3)
Tracking
()
RESOLVED
FIXED
mozilla61
Tracking | Status | |
---|---|---|
firefox-esr52 | --- | unaffected |
firefox-esr60 | --- | unaffected |
firefox59 | --- | unaffected |
firefox60 | --- | unaffected |
firefox61 | --- | fixed |
People
(Reporter: decoder, Assigned: jorendorff)
Details
(Keywords: assertion, bugmon, testcase, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
1.08 KB,
patch
|
jandem
:
review+
|
Details | Diff | Splinter Review |
The following testcase crashes on mozilla-central revision 277e1562ee9c (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe): function check(obj) { let proto = Object.getPrototypeOf(obj); let props = Object.getOwnPropertyNames(proto); for (let prop of props) { let desc = Object.getOwnPropertyDescriptor(proto, prop); try { desc.set.call(obj); } catch (e) {} } } check(FakeDOMObject(14)); Backtrace: received signal SIGSEGV, Segmentation fault. 0x000000000045dc58 in dom_genericSetter (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:7720 #0 0x000000000045dc58 in dom_genericSetter (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/shell/js.cpp:7720 #1 0x0000000000571a5e in js::CallJSNative (cx=0x7ffff5f15000, native=0x45db40 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290 #2 0x00000000005663df in js::InternalCallOrConstruct (cx=<optimized out>, cx@entry=0x7ffff5f15000, args=..., construct=construct@entry=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:467 #3 0x00000000005667bd in InternalCall (cx=cx@entry=0x7ffff5f15000, args=...) at js/src/vm/Interpreter.cpp:516 #4 0x0000000000566940 in js::Call (cx=cx@entry=0x7ffff5f15000, fval=..., fval@entry=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:535 #5 0x0000000000b59568 in js::fun_call (cx=0x7ffff5f15000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/JSFunction.cpp:1182 #6 0x0000000000571a5e in js::CallJSNative (cx=0x7ffff5f15000, native=0xb592f0 <js::fun_call(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/JSContext-inl.h:290 [...] #20 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:9133 rax 0x0 0 rbx 0x7fffffffc8a0 140737488341152 rcx 0x7ffff6c282ad 140737333330605 rdx 0x0 0 rsi 0x7ffff6ef7770 140737336276848 rdi 0x7ffff6ef6540 140737336272192 rbp 0x7fffffffc660 140737488340576 rsp 0x7fffffffc5e0 140737488340448 r8 0x7ffff6ef7770 140737336276848 r9 0x7ffff7fe4780 140737354024832 r10 0x58 88 r11 0x7ffff6b9e7a0 140737332766624 r12 0x7ffff5f15000 140737319620608 r13 0x45db40 4578112 r14 0x7fffffffc680 140737488340608 r15 0x7fffffffc900 140737488341248 rip 0x45dc58 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)+280> => 0x45dc58 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)+280>: movl $0x0,0x0 0x45dc63 <dom_genericSetter(JSContext*, unsigned int, JS::Value*)+291>: ud2 This looks like a shell-only problem.
Assignee | ||
Comment 2•6 years ago
|
||
Attachment #8967855 -
Flags: review?(jdemooij)
Assignee | ||
Updated•6 years ago
|
Assignee: nobody → jorendorff
Status: NEW → ASSIGNED
Assignee | ||
Updated•6 years ago
|
Flags: needinfo?(jorendorff)
Updated•6 years ago
|
Attachment #8967855 -
Flags: review?(jdemooij) → review+
Assignee | ||
Comment 3•6 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/82e125c825cef4f087473e9637a8d5f11c9680d5 Bug 1452583 - Demote bogus assertion in dom_genericSetter to runtime check. r=jandem.
Comment 4•6 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/82e125c825ce
Status: ASSIGNED → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla61
Updated•6 years ago
|
status-firefox59:
--- → unaffected
status-firefox60:
--- → unaffected
status-firefox-esr52:
--- → unaffected
status-firefox-esr60:
--- → unaffected
You need to log in
before you can comment on or make changes to this bug.
Description
•