Assertion failure: v.isString() || v.isObject() || v.isSymbol(), at js/src/vm/TypedArrayObject-inl.h:617 with BigInt
Categories
(Core :: JavaScript Engine, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox-esr60 | --- | unaffected |
| firefox65 | --- | unaffected |
| firefox66 | --- | unaffected |
| firefox67 | --- | fixed |
People
(Reporter: gkw, Assigned: terpri)
References
Details
(4 keywords, Whiteboard: [jsbugmon:update])
Attachments
(2 files)
The following testcase crashes on mozilla-central revision 6a3edc353ef2 (build with --enable-debug, run with --fuzzing-safe --no-threads --no-baseline --no-ion):
new Int8Array([1].map(BigInt));
Backtrace:
#0 js::ElementSpecific<signed char, js::UnsharedOps>::valueToNative (cx=0x7f6a58a17000, v=..., result=0x7ffeb57b4917 "0\370I{\265\376\177") at js/src/vm/TypedArrayObject-inl.h:617
#1 0x0000561031da7368 in js::ElementSpecific<signed char, js::UnsharedOps>::initFromIterablePackedArray (cx=0x7f6a58a17000, target=..., source=...) at js/src/vm/TypedArrayObject-inl.h:465
#2 0x0000561031ed5af6 in (anonymous namespace)::TypedArrayObjectTemplate<signed char>::fromObject (cx=<optimized out>, proto=..., group=..., other=...) at js/src/vm/TypedArrayObject.cpp:1308
#3 (anonymous namespace)::TypedArrayObjectTemplate<signed char>::fromArray (cx=0x7f6a58a17000, other=..., proto=..., group=...) at js/src/vm/TypedArrayObject.cpp:1145
#4 0x0000561031ecd848 in (anonymous namespace)::TypedArrayObjectTemplate<signed char>::create (cx=<optimized out>, args=...) at js/src/vm/TypedArrayObject.cpp:657
#5 (anonymous namespace)::TypedArrayObjectTemplate<signed char>::class_constructor (cx=<optimized out>, argc=<optimized out>, vp=<optimized out>) at js/src/vm/TypedArrayObject.cpp:614
/snip
For detailed crash information, see attachment.
|
Reporter | |
Comment 1•7 years ago
|
||
|
|
Reporter | |
Comment 2•7 years ago
|
||
autobisectjs shows this is probably related to the following changeset:
The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/4b74d76e55a8
user: Andy Wingo
date: Wed Feb 06 13:41:56 2019 +0000
summary: Bug 1522436 - Enable BigInt compilation by default r=jandem,terpri,froydnj
Andy, here's another BigInt fuzzbug.
|
||
Comment 3•7 years ago
|
||
Thanks!
FYI typed arrays are the other thing that aren't working with BigInt yet (besides increment/decrement ops).
Pulling in Robin as they're working on landing their TypedArray x BigInt patches from bug 1456569. Would you mind taking a look Robin?
FWIW the relevant spec section for this one would appear to be https://tc39.github.io/proposal-bigint/#sec-numbertorawbytes.
|
|
Assignee | |
Comment 4•7 years ago
|
||
except for the assertion failure, valueToNative should already work for BigInts -- ToNumber will report a TypeError and return false when called with a BigInt argument
|
|
Assignee | |
Comment 5•7 years ago
|
||
|
|
Assignee | |
Updated•7 years ago
|
Pushed by ncsoregi@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/52b19cbca26b
Fix TypedArray value conversion for BigInts r=jwalden
|
|
||
Comment 7•7 years ago
|
||
| bugherder | ||
|
||
Updated•7 years ago
|
Description
•