1459182 - Assertion failure: TypedArrayObject::is(args[0]) for same-compartment wrappers in Float32Array sort

Status: RESOLVED FIXED

(Core :: JavaScript: Standard Library, defect)

Description

[André Bargull [:anba]]

Similar to bug 1414768.

Test case:
---
let a = wrapWithProto(new Float32Array(1024), new Float32Array());

a.sort();
---



Stack trace:
---
#0  0x00000000010bf016 in intrinsic_TypedArrayByteOffset(JSContext*, unsigned int, JS::Value*) (cx=0x7ffff5915000, argc=1, vp=0x7fffffff2600)
    at /home/andre/git/mozilla-central/js/src/vm/SelfHosting.cpp:1100
#1  0x000000000069acd4 in js::CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), JS::CallArgs const&) (cx=0x7ffff5915000, native=0x10bef20 <intrinsic_TypedArrayByteOffset(JSContext*,
 unsigned int, JS::Value*)>, args=...) at /home/andre/git/mozilla-central/js/src/vm/JSContext-inl.h:280
#2  0x000000000068998f in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct) (cx=0x7ffff5915000, args=..., construct=js::NO_CONSTRUCT)
    at /home/andre/git/mozilla-central/js/src/vm/Interpreter.cpp:467
#3  0x0000000000689f60 in InternalCall(JSContext*, js::AnyInvokeArgs const&) (cx=0x7ffff5915000, args=...) at /home/andre/git/mozilla-central/js/src/vm/Interpreter.cpp:516
#4  0x0000000000689fd6 in js::Call(JSContext*, JS::Handle<JS::Value>, JS::Handle<JS::Value>, js::AnyInvokeArgs const&, JS::MutableHandle<JS::Value>) (cx=0x7ffff5915000, fval=$JS::Value((JSObject *) 0x7fff
f4db0c40 [object Function "TypedArrayByteOffset"]), thisv=$JS::Value((JSObject *) 0x7ffff7e003a0 [object Float32Array]), args=..., rval=$JS::Value((JSObject *) 0x7ffff4db08c0 [object Function "CallTypedAr
rayMethodIfWrapped"])) at /home/andre/git/mozilla-central/js/src/vm/Interpreter.cpp:535
#5  0x00000000010a75fb in CallSelfHostedNonGenericMethod(JSContext*, JS::CallArgs const&) (cx=0x7ffff5915000, args=...) at /home/andre/git/mozilla-central/js/src/vm/SelfHosting.cpp:1701
#6  0x0000000000e03c2d in js::CallNativeImpl(JSContext*, bool (*)(JSContext*, JS::CallArgs const&), JS::CallArgs const&) (cx=0x7ffff5915000, impl=0x10a72b0 <CallSelfHostedNonGenericMethod(JSContext*, JS::
CallArgs const&)>, args=...) at /home/andre/git/mozilla-central/js/src/vm/JSContext-inl.h:296
#7  0x0000000000dffb41 in js::ForwardingProxyHandler::nativeCall(JSContext*, bool (*)(JS::Handle<JS::Value>), bool (*)(JSContext*, JS::CallArgs const&), JS::CallArgs const&) const (this=0x296bc38 <js::Wrapper::singletonWithPrototype>, cx=0x7ffff5915000, test=0x10ec2e0 <Is<js::TypedArrayObject>(JS::Handle<JS::Value>)>, impl=0x10a72b0 <CallSelfHostedNonGenericMethod(JSContext*, JS::CallArgs const&)>, args=...) at /home/andre/git/mozilla-central/js/src/proxy/Wrapper.cpp:239
#8  0x0000000000ded25c in js::Proxy::nativeCall(JSContext*, bool (*)(JS::Handle<JS::Value>), bool (*)(JSContext*, JS::CallArgs const&), JS::CallArgs const&) (cx=0x7ffff5915000, test=0x10ec2e0 <Is<js::TypedArrayObject>(JS::Handle<JS::Value>)>, impl=0x10a72b0 <CallSelfHostedNonGenericMethod(JSContext*, JS::CallArgs const&)>, args=...) at /home/andre/git/mozilla-central/js/src/proxy/Proxy.cpp:542
#9  0x0000000000e660ea in JS::detail::CallMethodIfWrapped(JSContext*, bool (*)(JS::Handle<JS::Value>), bool (*)(JSContext*, JS::CallArgs const&), JS::CallArgs const&) (cx=0x7ffff5915000, test=0x10ec2e0 <Is<js::TypedArrayObject>(JS::Handle<JS::Value>)>, impl=0x10a72b0 <CallSelfHostedNonGenericMethod(JSContext*, JS::CallArgs const&)>, args=...)
    at /home/andre/git/mozilla-central/js/src/vm/CallNonGenericMethod.cpp:27
#10 0x00000000010ec3b0 in JS::CallNonGenericMethod<&(bool Is<js::TypedArrayObject>(JS::Handle<JS::Value>)), &(CallSelfHostedNonGenericMethod(JSContext*, JS::CallArgs const&))>(JSContext*, JS::CallArgs const&) (cx=0x7ffff5915000, args=...) at /home/andre/git/mozilla-central/js/src/build-debug-master/dist/include/js/CallNonGenericMethod.h:102
#11 0x00000000010c0c44 in CallNonGenericSelfhostedMethod<&(bool Is<js::TypedArrayObject>(JS::Handle<JS::Value>))>(JSContext*, unsigned int, JS::Value*) (cx=0x7ffff5915000, argc=2, vp=0x7fffffff30a8)
    at /home/andre/git/mozilla-central/js/src/vm/SelfHosting.cpp:1739
...
---

Comment 1

[André Bargull [:anba]]

Attachment: bug1459182.patch

Basically the same as bug 1414768.

Comment 2

[André Bargull [:anba]]

Attachment: bug1459182.patch

Forgot to add the test case.

Comment 3

[Jason Orendorff [:jorendorff]]

Comment on attachment 9043277 [details] [diff] [review]
bug1459182.patch

Review of attachment 9043277 [details] [diff] [review]:
-----------------------------------------------------------------

Ugh.

I spoke a bit with bz about this. In the long run, I think we should probably stop trying to handle wrappers (other than cross-compartment wrappers) in standard library methods like this one. Instead, we can throw a TypeError. We do have to keep handling CCWs, for now (and thus DeadProxyObjects).

Comment 4

[Sebastian Hengst [:aryx] (needinfo me if it's about an intermittent or backout)]

https://hg.mozilla.org/integration/mozilla-inbound/rev/b3364830f5a3baa6ea7ca128b81ac30496507073

Thanks. Also a gentle reminder that in 2 weeks, all patches are required to go through Phabricator: https://groups.google.com/forum/#!topic/mozilla.dev.platform/ks4s7i0a748

Comment 5

[Julien Cristau [:jcristau]]

https://hg.mozilla.org/mozilla-central/rev/b3364830f5a3

Comment 6

[Ryan VanderMeulen [:RyanVM]]

Is this something which should be nominated for Beta backport or can it ride the trains?

Comment 7

[Julien Cristau [:jcristau]]

(In reply to Ryan VanderMeulen [:RyanVM] from comment #6)

Is this something which should be nominated for Beta backport or can it ride the trains?

Comment 8

[André Bargull [:anba]]

This is the same sort of issue as in bug 1414768, where Jason said it's actually "not sec-anything" (bug 1414768, comment #22), so it should be okay to let it ride the trains.