Closed Bug 1526279 Opened 7 years ago Closed 7 years ago

Assertion failure: i < argc_, at dist/include/js/CallArgs.h:210 with BigInt

Categories

(Core :: JavaScript Engine, defect)

Product:
Core
Component:
JavaScript Engine
Platform:
x86_64
Linux
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla67
Tracking Flags:
Tracking Status
firefox-esr60 --- unaffected
firefox65 --- unaffected
firefox66 --- unaffected
firefox67 --- fixed

People

(Reporter: gkw, Assigned: wingo)

References

Details

(4 keywords, Whiteboard: [jsbugmon:update])

Attachments

(2 files)

Detailed Crash Information
9.45 KB, text/plain
Details
Bug 1526279 - Fix BigInt constructor API CallArgs usage
47 bytes, text/x-phabricator-request
Details | Review

The following testcase crashes on mozilla-central revision 4bc31addf415 (build with --enable-debug --enable-more-deterministic, run with --fuzzing-safe --no-threads --no-baseline --no-ion):

oomTest(BigInt.asIntN);

Backtrace:

#0 JS::detail::CallArgsBase<JS::detail::IncludeUsedRval>::operator[] (i=0, this=<optimized out>) at /home/ubuntu/shell-cache/js-dbg-64-dm-linux-x86_64-4bc31addf415/objdir-js/dist/include/js/CallArgs.h:210
#1 js::BigIntObject::asIntN (cx=0x7f5f80317000, argc=<optimized out>, vp=<optimized out>) at js/src/builtin/BigInt.cpp:195
#2 0x000055cca1dcf820 in CallJSNative (cx=0x7f5f80317000, native=0x55cca2033750 <js::BigIntObject::asIntN(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:442
#3 0x000055cca1dbf2ed in js::InternalCallOrConstruct (cx=0x7f5f80317000, args=..., construct=js::NO_CONSTRUCT) at js/src/vm/Interpreter.cpp:534
#4 0x000055cca1dbfe5d in js::Call (cx=0x7f5f81459680 <_IO_2_1_stderr_>, fval=..., thisv=..., args=..., rval=...) at js/src/vm/Interpreter.cpp:605
#5 0x000055cca2379efc in JS_CallFunction (cx=0x7f5f80317000, obj=..., fun=..., args=..., rval=...) at js/src/jsapi.cpp:2576
/snip

For detailed crash information, see attachment.

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4b74d76e55a8
user: Andy Wingo
date: Wed Feb 06 13:41:56 2019 +0000
summary: Bug 1522436 - Enable BigInt compilation by default r=jandem,terpri,froydnj

Andy, I'm guessing this is related to the BigInt landing?

Blocks: 1522436
Flags: needinfo?(wingo)
Summary: Assertion failure: i < argc_, at dist/include/js/CallArgs.h:210 → Assertion failure: i < argc_, at dist/include/js/CallArgs.h:210 with BigInt

Hi, yes this would be due to the bigint landing. Before, the fuzzers have not been running on BigInt API; now they will.

Just as a reminder, there's a run-time flag for BigInt which is off by default. However in the shell it's on by default, so that fuzzers and unit tests and so on can run. If I understand correctly how this QA process works, then it's OK to fix bugs of this kind as they come in, rather than rolling out the enable-bigint patch, because they pose no danger to users. If you think we should do this in some other way, let me know!

I'll take this one for now, cheers :)

Assignee: nobody → wingo
Flags: needinfo?(wingo)

Pushed by nbeleuzu@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/c53f5b9d5a75
Fix BigInt constructor API CallArgs usage r=terpri,jorendorff

Keywords: checkin-needed

https://hg.mozilla.org/mozilla-central/rev/c53f5b9d5a75

Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox67: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla67
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: