Closed Bug 1572985 Opened 5 years ago Closed 5 years ago

Self-hosted JavaScript assertion info: "js/src/builtin/intl/CommonFunctions.js:1821: locale after concatenation is a canonicalized language tag"

Categories

(Core :: JavaScript Engine, defect, P1)

x86_64
Linux
defect

Tracking

()

RESOLVED FIXED
mozilla70
Tracking Status
firefox-esr60 --- unaffected
firefox-esr68 --- wontfix
firefox68 --- wontfix
firefox69 --- wontfix
firefox70 --- fixed

People

(Reporter: decoder, Assigned: anba)

References

(Regression)

Details

(5 keywords, Whiteboard: [jsbugmon:update])

Attachments

(1 file)

The following testcase crashes on mozilla-central revision a28a338396c3 (build with --enable-valgrind --enable-gczeal --disable-tests --disable-profiling --enable-debug --enable-optimize, run with --fuzzing-safe --ion-offthread-compile=off):

new Intl.DateTimeFormat(["en-u-hc-h24-nu-arab"]).resolvedOptions()

Backtrace:

received signal SIGSEGV, Segmentation fault.
intrinsic_AssertionFailed (cx=cx@entry=0x7ffff5f23000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:459
#0  intrinsic_AssertionFailed (cx=cx@entry=0x7ffff5f23000, argc=<optimized out>, vp=<optimized out>) at js/src/vm/SelfHosting.cpp:459
#1  0x00005555558ea03f in CallJSNative (cx=0x7ffff5f23000, native=native@entry=0x555555b658b0 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)>, args=...) at js/src/vm/Interpreter.cpp:448
[...]
#5  0x000055555611eb93 in js::jit::DoCallFallback (cx=<optimized out>, frame=0x7fffffffc330, stub=0x7ffff47b0780, argc=1, vp=0x7fffffffc250, res=...) at js/src/jit/BaselineIC.cpp:3209
#6  0x00000fbb16ef43e3 in ?? ()
#7  0x0000000000000000 in ?? ()
rax	0x555557cd7120	93825033662752
rbx	0x7fffffffbc10	140737488337936
rcx	0x555556bdd259	93825015861849
rdx	0x0	0
rsi	0x7ffff6eeb770	140737336227696
rdi	0x7ffff6eea540	140737336223040
rbp	0x7fffffffbc50	140737488338000
rsp	0x7fffffffbbf0	140737488337904
r8	0x7ffff6eeb770	140737336227696
r9	0x7ffff7fe6cc0	140737354034368
r10	0x58	88
r11	0x7ffff6b927a0	140737332717472
r12	0x1633eda08220	24412285862432
r13	0x7ffff5f23000	140737319677952
r14	0x7fffffffbc88	140737488338056
r15	0x7ffff5f56000	140737319886848
rip	0x555555b6590c <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+92>
=> 0x555555b6590c <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+92>:	movl   $0x0,0x0
   0x555555b65917 <intrinsic_AssertionFailed(JSContext*, unsigned int, JS::Value*)+103>:	ud2

autobisectjs shows this is probably related to the following changeset:

The first bad revision is:
changeset: https://hg.mozilla.org/mozilla-central/rev/82630420613d
user: André Bargull
date: Thu Apr 04 14:07:14 2019 +0000
summary: Bug 1531091: Append Unicode extensions without values and remove "true" value from keywords. r=jwalden

Andre, is bug 1531091 a likely regressor?

Flags: needinfo?(andrebargull)
Regressed by: 1531091
Whiteboard: [jsbugmon:update,bisect] → [jsbugmon:update]
JSBugMon: Bisection requested, result: autoBisect shows this is probably related to the following changeset: The first bad revision is: changeset: https://hg.mozilla.org/mozilla-central/rev/82630420613d user: André Bargull date: Thu Apr 04 14:07:14 2019 +0000 summary: Bug 1531091: Append Unicode extensions without values and remove "true" value from keywords. r=jwalden This iteration took 515.948 seconds to run.

(In reply to Gary Kwong [:gkw] [:nth10sd] from comment #1)

Andre, is bug 1531091 a likely regressor?

Yes!

Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
Flags: needinfo?(andrebargull)
Priority: -- → P1

Pushed by cbrindusan@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/b2810baa7a82
Sort "relevantExtensionKeys" to ensure the resolved locale's Unicode extension subtag is canonical. r=jwalden

Keywords: checkin-needed
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla70

Is there a user impact which justifies backport consideration here or can this fix ride Fx70 to release?

Flags: needinfo?(andrebargull)
Flags: in-testsuite+

I don't think it's necessary to backport the changes, because the fix only ensures spec-compliance, but otherwise doesn't have any user impact.

Flags: needinfo?(andrebargull)
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: