Closed Bug 1864257 Opened 10 months ago Closed 10 months ago

Assertion failure: value_ != 0, at ColumnNumber.h:255

Categories

(Core :: JavaScript Engine, defect, P1)

defect

Tracking

()

RESOLVED FIXED
121 Branch
Tracking Status
firefox-esr115 --- unaffected
firefox119 --- unaffected
firefox120 --- unaffected
firefox121 --- fixed

People

(Reporter: anbu1024.me, Assigned: arai)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: regression)

Attachments

(1 file)

Steps to reproduce:

version:
commit 456995bd895bc6c5d1dcd582ff72acbf7e7a28e0

Build options:

/bin/sh ../../gecko-dev/js/src/configure --enable-debug --disable-optimize --disable-shared-js --disable-tests

Test case:

function foo() { return 0; }

let x = new foo();

let y = 0;

x ^= y;

Float64Array.columnNumber = --x;

this.evaluate("valueOf", Float64Array);

Actual results:

Error message:

Assertion failure: value_ != 0, at dist/include/js/ColumnNumber.h:255

Stack backtrace

JS::detail::MaybeLimitedColumnNumber<1073741823u>::valid(const JS::detail::MaybeLimitedColumnNumber<1073741823u> * this) (gecko-dev/js/public/ColumnNumber.h:255)

JS::detail::MaybeLimitedColumnNumber<1073741823u>::MaybeLimitedColumnNumber(JS::detail::MaybeLimitedColumnNumber<1073741823u> * this, uint32_t value) (gecko-dev/js/public/ColumnNumber.h:161)

JS::LimitedColumnNumberOneOrigin::MaybeLimitedColumnNumber(JS::LimitedColumnNumberOneOrigin * this) (gecko-dev/js/public/ColumnNumber.h:289)

JS::LimitedColumnNumberOneOrigin::fromUnlimited(uint32_t value) (gecko-dev/js/public/ColumnNumber.h:304)

JS::LimitedColumnNumberOneOrigin::fromUnlimited(const JS::detail::MaybeLimitedColumnNumber<0u> & value) (gecko-dev/js/public/ColumnNumber.h:308)

js::ScriptSource::initFromOptions(js::ScriptSource * this, js::FrontendContext * fc, const JS::ReadOnlyCompileOptions & options) (gecko-dev/js/src/vm/JSScript.cpp:1911)

js::frontend::CompilationInput::initScriptSource(js::frontend::CompilationInput * this, js::FrontendContext * fc) (gecko-dev/js/src/frontend/Stencil.cpp:1355)

js::frontend::CompilationInput::initForGlobal(js::frontend::CompilationInput * this, js::FrontendContext * fc) (gecko-dev/js/src/frontend/CompilationStencil.h:701)

CompileGlobalScriptToStencilAndMaybeInstantiate<char16_t>(JSContext * maybeCx, js::FrontendContext * fc, js::LifoAlloc & tempLifoAlloc, 
js::frontend::CompilationInput & input, js::frontend::ScopeBindingCache * scopeCache, JS::SourceText<char16_t> & srcBuf, js::ScopeKind scopeKind, js::frontend::ExtraBindingInfoVector * maybeExtraBindings, BytecodeCompilerOutput & output) (gecko-dev/js/src/frontend/BytecodeCompiler.cpp:315)

CompileGlobalScriptToStencilImpl<char16_t>(JSContext * maybeCx, js::FrontendContext * fc, js::LifoAlloc & tempLifoAlloc, js::frontend::CompilationInput & input, js::frontend::ScopeBindingCache * scopeCache, JS::SourceText<char16_t> & srcBuf, js::ScopeKind scopeKind) (gecko-dev/js/src/frontend/BytecodeCompiler.cpp:407)

js::frontend::CompileGlobalScriptToStencil(JSContext * cx, js::FrontendContext * fc, js::LifoAlloc & tempLifoAlloc, js::frontend::CompilationInput & input, js::frontend::ScopeBindingCache * scopeCache, JS::SourceText<char16_t> & srcBuf, js::ScopeKind scopeKind) (gecko-dev/js/src/frontend/BytecodeCompiler.cpp:419)

CompileGlobalScriptToStencilImpl<char16_t>(JSContext * cx, const JS::ReadOnlyCompileOptions & options, JS::SourceText<char16_t> & srcBuf) (gecko-dev/js/src/frontend/Stencil.cpp:5437)

JS::CompileGlobalScriptToStencil(JSContext * cx, const JS::ReadOnlyCompileOptions & options, JS::SourceText<char16_t> & srcBuf) (gecko-dev/js/src/frontend/Stencil.cpp:5457)

Evaluate(JSContext * cx, unsigned int argc, JS::Value * vp) (gecko-dev/js/src/shell/js.cpp:2700)

CallJSNative(JSContext * cx, js::Native native, js::CallReason reason, const JS::CallArgs & args) (gecko-dev/js/src/vm/Interpreter.cpp:472)

js::InternalCallOrConstruct(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:566)

InternalCall(JSContext * cx, const js::AnyInvokeArgs & args, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:633)

js::CallFromStack(JSContext * cx, const JS::CallArgs & args, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:638)

js::Interpret(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:3053)

MaybeEnterInterpreterTrampoline(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:386)

js::RunScript(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:444)

js::ExecuteKernel(JSContext * cx, JS::HandleScript script, JS::HandleObject envChainArg, js::AbstractFramePtr evalInFrame, JS::MutableHandleValue result) (gecko-dev/js/src/vm/Interpreter.cpp:831)

js::Execute(JSContext * cx, JS::HandleScript script, JS::HandleObject envChain, JS::MutableHandleValue rval) (gecko-dev/js/src/vm/Interpreter.cpp:863)

ExecuteScript(JSContext * cx, JS::HandleObject envChain, JS::HandleScript script, JS::MutableHandleValue rval) (gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:494)

JS_ExecuteScript(JSContext * cx, JS::HandleScript scriptArg) (gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:518)

RunFile(JSContext * cx, const char * filename, FILE * file, CompileUtf8 compileMethod, bool compileOnly, bool fullParse) (gecko-dev/js/src/shell/js.cpp:1218)

Process(JSContext * cx, const char * filename, bool forceTTY, FileKind kind) (gecko-dev/js/src/shell/js.cpp:1798)

ProcessArgs(JSContext * cx, js::cli::OptionParser * op) (gecko-dev/js/src/shell/js.cpp:10873)

Shell(JSContext * cx, js::cli::OptionParser * op) (gecko-dev/js/src/shell/js.cpp:11135)

main(int argc, char ** argv) (gecko-dev/js/src/shell/js.cpp:11539)

Arai, can you take a quick look at this?

Flags: needinfo?(arai.unmht)
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Flags: needinfo?(arai.unmht)

Thank you for reporting.

this is a regression from bug 1848467.
evaluate is a testing function which is available only on JS shell and the privileged environment (via Cu.getJSTestingFunctions()).

Keywords: regression
Regressed by: 1848467

Set release status flags based on info from the regressing bug 1848467

Blocks: 1862814
Severity: -- → S3
Priority: -- → P1
Blocks: 1144340
No longer blocks: 1862814
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/c7a3071d1b9a
Sanitize the columnNumber of evaluate. r=iain

Backed out for causing spidermonkey bustages in /evaluate-negative-column.js

[task 2023-11-15T02:40:01.121Z] TEST-PASS | js/src/jit-test/tests/basic/evaluate-global-discardSource.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.1 s]
[task 2023-11-15T02:40:01.129Z] /builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9 Error: Assertion failed: got 1, expected 0
[task 2023-11-15T02:40:01.129Z] Stack:
[task 2023-11-15T02:40:01.129Z]   @/builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9
[task 2023-11-15T02:40:01.129Z] Exit code: 3
[task 2023-11-15T02:40:01.129Z] FAIL - basic/evaluate-negative-column.js
[task 2023-11-15T02:40:01.129Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/evaluate-negative-column.js | /builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9 Error: Assertion failed: got 1, expected 0 (code 3, args "") [0.1 s]
[task 2023-11-15T02:40:01.129Z] INFO exit-status     : 3
[task 2023-11-15T02:40:01.129Z] INFO timed-out       : False
[task 2023-11-15T02:40:01.129Z] INFO stderr         2> /builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9 Error: Assertion failed: got 1, expected 0
[task 2023-11-15T02:40:01.129Z] INFO stderr         2> Stack:
[task 2023-11-15T02:40:01.129Z] INFO stderr         2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9
[task 2023-11-15T02:40:01.134Z] TEST-PASS | js/src/jit-test/tests/basic/evaluate-global-discardSource.js | Success (code 0, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.1 s]
Flags: needinfo?(arai.unmht)

oh, I mixed up the origin of error position and script position.
indeed the test should expect 1.

Flags: needinfo?(arai.unmht)
Pushed by arai_a@mac.com:
https://hg.mozilla.org/integration/autoland/rev/1a5965cbca83
Sanitize the columnNumber of evaluate. r=iain
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: