Assertion failure: !isWrapped, at js/src/vm/TypedArrayObject.cpp:997 with wrapWithProto
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr60 | --- | unaffected |
firefox64 | --- | unaffected |
firefox65 | --- | unaffected |
firefox66 | --- | fixed |
People
(Reporter: decoder, Assigned: jandem)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update,bisect])
Attachments
(1 file)
The following testcase crashes on mozilla-central revision e56cc5e7b57a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):
let a = wrapWithProto(new Int8Array([1, 3, 5, 6, 9]), new Int8Array());
new Uint8ClampedArray(a);
Backtrace:
received signal SIGSEGV, Segmentation fault.
GetBufferSpeciesConstructor (cx=0x7ffff5f19000, typedArray=..., typedArray@entry=..., isWrapped=<optimized out>, override=(anonymous namespace)::SpeciesConstructorOverride::None) at js/src/vm/TypedArrayObject.cpp:997
#0 GetBufferSpeciesConstructor (cx=0x7ffff5f19000, typedArray=..., typedArray@entry=..., isWrapped=<optimized out>, override=(anonymous namespace)::SpeciesConstructorOverride::None) at js/src/vm/TypedArrayObject.cpp:997
#1 0x0000555555d26f3a in (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::fromTypedArray (cx=<optimized out>, other=..., isWrapped=<optimized out>, proto=...) at js/src/vm/TypedArrayObject.cpp:1114
#2 0x0000555555d27a7a in (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::fromArray (cx=<optimized out>, other=..., other@entry=..., proto=..., proto@entry=...) at js/src/vm/TypedArrayObject.cpp:1044
#3 0x0000555555d282f3 in (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::create (args=..., cx=<optimized out>) at js/src/vm/TypedArrayObject.cpp:622
#4 (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::class_constructor (cx=cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/TypedArrayObject.cpp:579
#5 0x0000555555900e09 in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x555555d27e80 <(anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:439
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11328
rax 0x555557bee280 93825032708736
rbx 0x7ffff5f19000 140737319636992
rcx 0x555556b4f8b0 93825015281840
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc650 140737488340560
rsp 0x7fffffffc5b0 140737488340400
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffc5e0 140737488340448
r13 0xe5bdb3b7240 15787682918976
r14 0x7ffff5f19020 140737319637024
r15 0x0 0
rip 0x555555d24af9 <GetBufferSpeciesConstructor(JSContext*, JS::Handle<js::TypedArrayObject*>, bool, (anonymous namespace)::SpeciesConstructorOverride)+1001>
=> 0x555555d24af9 <GetBufferSpeciesConstructor(JSContext*, JS::Handle<js::TypedArrayObject*>, bool, (anonymous namespace)::SpeciesConstructorOverride)+1001>: movl $0x0,0x0
0x555555d24b04 <GetBufferSpeciesConstructor(JSContext*, JS::Handle<js::TypedArrayObject*>, bool, (anonymous namespace)::SpeciesConstructorOverride)+1012>: ud2
Could be a shell-only problem with wrapWithProto.
Comment 1•6 years ago
|
||
Regression from bug 1518753: https://hg.mozilla.org/mozilla-central/rev/b32c2548fa6b
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 2•6 years ago
|
||
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Comment 4•6 years ago
|
||
bugherder |
Updated•6 years ago
|
Description
•