Assertion failure: !isWrapped, at js/src/vm/TypedArrayObject.cpp:997 with wrapWithProto

RESOLVED FIXED in Firefox 66

Status

()

defect
--
critical
RESOLVED FIXED
6 months ago
6 months ago

People

(Reporter: decoder, Assigned: jandem)

Tracking

(Blocks 1 bug, 4 keywords)

Trunk
mozilla66
x86_64
Linux
Points:
---
Dependency tree / graph
Bug Flags:
in-testsuite +

Firefox Tracking Flags

(firefox-esr60 unaffected, firefox64 unaffected, firefox65 unaffected, firefox66 fixed)

Details

(Whiteboard: [jsbugmon:update,bisect])

Attachments

(1 attachment)

The following testcase crashes on mozilla-central revision e56cc5e7b57a (build with --enable-posix-nspr-emulation --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --cpu-count=2 --ion-offthread-compile=off):

let a = wrapWithProto(new Int8Array([1, 3, 5, 6, 9]), new Int8Array());
new Uint8ClampedArray(a);

Backtrace:

received signal SIGSEGV, Segmentation fault.
GetBufferSpeciesConstructor (cx=0x7ffff5f19000, typedArray=..., typedArray@entry=..., isWrapped=<optimized out>, override=(anonymous namespace)::SpeciesConstructorOverride::None) at js/src/vm/TypedArrayObject.cpp:997
#0 GetBufferSpeciesConstructor (cx=0x7ffff5f19000, typedArray=..., typedArray@entry=..., isWrapped=<optimized out>, override=(anonymous namespace)::SpeciesConstructorOverride::None) at js/src/vm/TypedArrayObject.cpp:997
#1 0x0000555555d26f3a in (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::fromTypedArray (cx=<optimized out>, other=..., isWrapped=<optimized out>, proto=...) at js/src/vm/TypedArrayObject.cpp:1114
#2 0x0000555555d27a7a in (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::fromArray (cx=<optimized out>, other=..., other@entry=..., proto=..., proto@entry=...) at js/src/vm/TypedArrayObject.cpp:1044
#3 0x0000555555d282f3 in (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::create (args=..., cx=<optimized out>) at js/src/vm/TypedArrayObject.cpp:622
#4 (anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::class_constructor (cx=cx@entry=0x7ffff5f19000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/TypedArrayObject.cpp:579
#5 0x0000555555900e09 in CallJSNative (cx=0x7ffff5f19000, native=native@entry=0x555555d27e80 <(anonymous namespace)::TypedArrayObjectTemplate<js::uint8_clamped>::class_constructor(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:439
[...]
#18 main (argc=<optimized out>, argv=<optimized out>, envp=<optimized out>) at js/src/shell/js.cpp:11328
rax 0x555557bee280 93825032708736
rbx 0x7ffff5f19000 140737319636992
rcx 0x555556b4f8b0 93825015281840
rdx 0x0 0
rsi 0x7ffff6eeb770 140737336227696
rdi 0x7ffff6eea540 140737336223040
rbp 0x7fffffffc650 140737488340560
rsp 0x7fffffffc5b0 140737488340400
r8 0x7ffff6eeb770 140737336227696
r9 0x7ffff7fe6c80 140737354034304
r10 0x58 88
r11 0x7ffff6b927a0 140737332717472
r12 0x7fffffffc5e0 140737488340448
r13 0xe5bdb3b7240 15787682918976
r14 0x7ffff5f19020 140737319637024
r15 0x0 0
rip 0x555555d24af9 <GetBufferSpeciesConstructor(JSContext*, JS::Handle<js::TypedArrayObject*>, bool, (anonymous namespace)::SpeciesConstructorOverride)+1001>
=> 0x555555d24af9 <GetBufferSpeciesConstructor(JSContext*, JS::Handle<js::TypedArrayObject*>, bool, (anonymous namespace)::SpeciesConstructorOverride)+1001>: movl $0x0,0x0
0x555555d24b04 <GetBufferSpeciesConstructor(JSContext*, JS::Handle<js::TypedArrayObject*>, bool, (anonymous namespace)::SpeciesConstructorOverride)+1012>: ud2

Could be a shell-only problem with wrapWithProto.

Flags: needinfo?(jdemooij)
Flags: needinfo?(jdemooij)
Assignee: nobody → jdemooij
Status: NEW → ASSIGNED
Pushed by jdemooij@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/494b88d492b1
Handle same-compartment wrappers in TypedArrayObjectTemplate<T>::fromTypedArray. r=anba
Status: ASSIGNED → RESOLVED
Closed: 6 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla66
Flags: in-testsuite+
You need to log in before you can comment on or make changes to this bug.