Closed Bug 1827064 Opened 2 years ago Closed 2 years ago

Assertion failure: i < argc_, at /root/SM/sm-latest/0920/dist/include/js/CallArgs.h:211

Categories

(Core :: JavaScript Engine, defect)

defect

Tracking

()

RESOLVED INVALID

People

(Reporter: 2020244068, Unassigned)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:107.0) Gecko/20100101 Firefox/107.0

Steps to reproduce:

  1. git clone --depth 1 https://github.com/mozilla/gecko-dev.git (commit is 008eb054013d699239993782a2835eb2115e21fc)
  2. build it
  3. path/to/js/.js test.js
    I attach the test.js below

Actual results:

#01: ???[./js +0x3402d7]
#02: ???[./js +0x341d85]
#03: ???[./js +0xe5ab0b]
#04: ???[./js +0xe39aad]
#05: ???[./js +0xe117e6]
#06: ???[./js +0xe38a27]
#07: ???[./js +0xe40e58]
#08: ???[./js +0x119203f]
#09: ???[./js +0xa1659b]
#10: ???[./js +0xa6f6e2]
#11: ???[./js +0xa7202b]
#12: ???[./js +0x99f00c]
#13: __libc_start_main[/lib/x86_64-linux-gnu/libc.so.6 +0x24083]
#14: ???[./js +0x9c0b7e]
#15: ??? (???:???)
Segmentation fault (core dumped)

Expected results:

success

testcase:

function toint32() {

    // The test case to trigger MToNumberInt32 operation.
    var ToInteger = getSelfHostedValue("ToInteger");

    // Case1: The input operand is constant int32.
    var result = ToInteger();
    assertEq(result, 1);

    // Case2: The input operand is constant double.
    result = ToInteger(0.12);
    assertEq(result, 0);

    // Case3: The input operand is constant float.
    result = ToInteger(Math.fround(0.13));
    assertEq(result, 0);

    // Case4: The input operand is constant boolean.
    result = ToInteger(true);
    assertEq(result, 1);

    // Case5: The input operand is null.
    result = ToInteger(null);
    assertEq(result, 0);
}

toint32();
toint32();
Group: core-security → javascript-core-security
Component: General → JavaScript Engine

Calling self-hosting intrinsics with arbitrary arguments is not supported. Using --fuzzing-safe avoids this one too because getSelfHostedValue is not exposed with that flag.

Group: javascript-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Resolution: --- → INVALID
Duplicate of this bug: 1827068
Duplicate of this bug: 1827067
Duplicate of this bug: 1827065
Duplicate of this bug: 1827062
Duplicate of this bug: 1827061
Duplicate of this bug: 1827057
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: