Closed
Bug 1842810
Opened 2 years ago
Closed 2 years ago
Assertion failure: IsInteger(days), at js/src/builtin/temporal/Duration.cpp:368
Categories
(Core :: JavaScript Engine, defect, P3)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
121 Branch
| Tracking | Status | |
|---|---|---|
| firefox121 | --- | fixed |
People
(Reporter: lukas.bernhard, Assigned: anba)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
Steps to reproduce:
The attached sample asserts in the js-shell on git commit f29deb388a7675b93f040b0e89a37822cdbd8d58 when invoked as obj-x86_64-pc-linux-gnu/dist/bin/js --fuzzing-safe crash.js
.mozconfig requires ac_add_options --with-temporal-api
const v4 = Temporal.Now.plainDateTimeISO();
v4.microseconds = 1.7976931348623157e+308;
Object.defineProperty(v4, "days", { value: 1.7976931348623157e+308 });
v4.subtract(v4);
|
Reporter | |
Updated•2 years ago
|
Blocks: l11d-js-fuzzing
Component: Untriaged → JavaScript Engine
Product: Firefox → Core
Version: Firefox 117 → Trunk
|
|
Reporter | |
Comment 1•2 years ago
|
||
#0 in js::temporal::CreateTemporalDuration(JSContext*, js::temporal::Duration const&) js/src/builtin/temporal/Duration.cpp:368:3
#1 in AddDateTime(JSContext*, js::temporal::PlainDateTime const&, JS::Handle<JSObject*>, js::temporal::Duration const&, JS::Handle<JSObject*>, js::temporal::PlainDateTime*) js/src/builtin/temporal/PlainDateTime.cpp:818:11
#2 in AddDurationToOrSubtractDurationFromPlainDateTime(JSContext*, PlainDateTimeDuration, JS::CallArgs const&) js/src/builtin/temporal/PlainDateTime.cpp:1181:8
#3 in PlainDateTime_subtract(JSContext*, JS::CallArgs const&) js/src/builtin/temporal/PlainDateTime.cpp:2033:10
#4 in bool JS::CallNonGenericMethod<&IsPlainDateTime(JS::Handle<JS::Value>), &PlainDateTime_subtract(JSContext*, JS::CallArgs const&)>(JSContext*, JS::CallArgs const&) obj-x86_64-pc-linux-gnu/dist/include/js/CallNonGenericMethod.h:103:12
#5 in PlainDateTime_subtract(JSContext*, unsigned int, JS::Value*) js/src/builtin/temporal/PlainDateTime.cpp:2044:10
#6 in CallJSNative(JSContext*, bool (*)(JSContext*, unsigned int, JS::Value*), js::CallReason, JS::CallArgs const&) js/src/vm/Interpreter.cpp:486:13
#7 in js::InternalCallOrConstruct(JSContext*, JS::CallArgs const&, js::MaybeConstruct, js::CallReason) js/src/vm/Interpreter.cpp:580:12
#8 in InternalCall(JSContext*, js::AnyInvokeArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:647:10
#9 in js::CallFromStack(JSContext*, JS::CallArgs const&, js::CallReason) js/src/vm/Interpreter.cpp:652:10
#10 in js::Interpret(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:3395:16
#11 in MaybeEnterInterpreterTrampoline(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:400:10
#12 in js::RunScript(JSContext*, js::RunState&) js/src/vm/Interpreter.cpp:458:13
#13 in js::ExecuteKernel(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, js::AbstractFramePtr, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:845:13
#14 in js::Execute(JSContext*, JS::Handle<JSScript*>, JS::Handle<JSObject*>, JS::MutableHandle<JS::Value>) js/src/vm/Interpreter.cpp:877:10
#15 in ExecuteScript(JSContext*, JS::Handle<JSObject*>, JS::Handle<JSScript*>, JS::MutableHandle<JS::Value>) js/src/vm/CompilationAndEvaluation.cpp:493:10
#16 in JS_ExecuteScript(JSContext*, JS::Handle<JSScript*>) js/src/vm/CompilationAndEvaluation.cpp:517:10
#17 in RunFile(JSContext*, char const*, _IO_FILE*, CompileUtf8, bool, bool) js/src/shell/js.cpp:1105:10
#18 in Process(JSContext*, char const*, bool, FileKind) js/src/shell/js.cpp:1685:14
#19 in ProcessArgs(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:10747:10
#20 in Shell(JSContext*, js::cli::OptionParser*) js/src/shell/js.cpp:10971:12
#21 in main js/src/shell/js.cpp:11396:12
#22 in __libc_start_call_main csu/../sysdeps/nptl/libc_start_call_main.h:58:16
#23 in __libc_start_main csu/../csu/libc-start.c:360:3
#24 in _start (obj-x86_64-pc-linux-gnu/dist/bin/js+0x1eca128) (BuildId: b91585cfc07f0f4d7c1cf8b65c92bc48)
|
||
Updated•2 years ago
|
Flags: needinfo?(andrebargull)
|
Assignee | |
Comment 2•2 years ago
|
||
In this line, days can get infinity. Implementing https://github.com/tc39/proposal-temporal/pull/2612 should fix this.
Flags: needinfo?(andrebargull)
|
||
Comment 3•2 years ago
|
||
I believe this will be fixed by Bug 1840374
|
|
||
Comment 4•2 years ago
|
||
Can you still reproduce this after Bug 1840374 has landed?
Flags: needinfo?(lukas.bernhard)
|
|
Reporter | |
Comment 5•2 years ago
|
||
I can still reproduce on git commit 261fd5a5787a52991e59222a73c2d3b1994cf037.
Flags: needinfo?(lukas.bernhard)
|
|
Assignee | |
Comment 6•2 years ago
|
||
This code will likely be removed when https://github.com/tc39/proposal-temporal/pull/2612 lands.
Depends on D189813
|
||
Updated•2 years ago
|
Assignee: nobody → andrebargull
Status: NEW → ASSIGNED
|
||
Comment 7•2 years ago
|
||
There is an r+ patch which didn't land and no activity in this bug for 2 weeks.
:anba, could you have a look please?
If you still have some work to do, you can add an action "Plan Changes" in Phabricator.
For more information, please visit BugBot documentation.
Flags: needinfo?(mgaudet)
Flags: needinfo?(andrebargull)
|
|
Assignee | |
Updated•2 years ago
|
Flags: needinfo?(mgaudet)
Flags: needinfo?(andrebargull)
Pushed by andre.bargull@gmail.com:
https://hg.mozilla.org/integration/autoland/rev/8941d99e1eb1
Handle number overflow in AddTimeDaysSlow. r=spidermonkey-reviewers,mgaudet
|
||
Comment 9•2 years ago
|
||
| bugherder | ||
Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox121:
--- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•