Closed
Bug 1864257
Opened 10 months ago
Closed 10 months ago
Assertion failure: value_ != 0, at ColumnNumber.h:255
Categories
(Core :: JavaScript Engine, defect, P1)
Core
JavaScript Engine
Tracking
()
RESOLVED
FIXED
121 Branch
Tracking | Status | |
---|---|---|
firefox-esr115 | --- | unaffected |
firefox119 | --- | unaffected |
firefox120 | --- | unaffected |
firefox121 | --- | fixed |
People
(Reporter: anbu1024.me, Assigned: arai)
References
(Blocks 1 open bug, Regression)
Details
(Keywords: regression)
Attachments
(1 file)
Steps to reproduce:
version:
commit 456995bd895bc6c5d1dcd582ff72acbf7e7a28e0
Build options:
/bin/sh ../../gecko-dev/js/src/configure --enable-debug --disable-optimize --disable-shared-js --disable-tests
Test case:
function foo() { return 0; }
let x = new foo();
let y = 0;
x ^= y;
Float64Array.columnNumber = --x;
this.evaluate("valueOf", Float64Array);
Actual results:
Error message:
Assertion failure: value_ != 0, at dist/include/js/ColumnNumber.h:255
Stack backtrace
JS::detail::MaybeLimitedColumnNumber<1073741823u>::valid(const JS::detail::MaybeLimitedColumnNumber<1073741823u> * this) (gecko-dev/js/public/ColumnNumber.h:255)
JS::detail::MaybeLimitedColumnNumber<1073741823u>::MaybeLimitedColumnNumber(JS::detail::MaybeLimitedColumnNumber<1073741823u> * this, uint32_t value) (gecko-dev/js/public/ColumnNumber.h:161)
JS::LimitedColumnNumberOneOrigin::MaybeLimitedColumnNumber(JS::LimitedColumnNumberOneOrigin * this) (gecko-dev/js/public/ColumnNumber.h:289)
JS::LimitedColumnNumberOneOrigin::fromUnlimited(uint32_t value) (gecko-dev/js/public/ColumnNumber.h:304)
JS::LimitedColumnNumberOneOrigin::fromUnlimited(const JS::detail::MaybeLimitedColumnNumber<0u> & value) (gecko-dev/js/public/ColumnNumber.h:308)
js::ScriptSource::initFromOptions(js::ScriptSource * this, js::FrontendContext * fc, const JS::ReadOnlyCompileOptions & options) (gecko-dev/js/src/vm/JSScript.cpp:1911)
js::frontend::CompilationInput::initScriptSource(js::frontend::CompilationInput * this, js::FrontendContext * fc) (gecko-dev/js/src/frontend/Stencil.cpp:1355)
js::frontend::CompilationInput::initForGlobal(js::frontend::CompilationInput * this, js::FrontendContext * fc) (gecko-dev/js/src/frontend/CompilationStencil.h:701)
CompileGlobalScriptToStencilAndMaybeInstantiate<char16_t>(JSContext * maybeCx, js::FrontendContext * fc, js::LifoAlloc & tempLifoAlloc,
js::frontend::CompilationInput & input, js::frontend::ScopeBindingCache * scopeCache, JS::SourceText<char16_t> & srcBuf, js::ScopeKind scopeKind, js::frontend::ExtraBindingInfoVector * maybeExtraBindings, BytecodeCompilerOutput & output) (gecko-dev/js/src/frontend/BytecodeCompiler.cpp:315)
CompileGlobalScriptToStencilImpl<char16_t>(JSContext * maybeCx, js::FrontendContext * fc, js::LifoAlloc & tempLifoAlloc, js::frontend::CompilationInput & input, js::frontend::ScopeBindingCache * scopeCache, JS::SourceText<char16_t> & srcBuf, js::ScopeKind scopeKind) (gecko-dev/js/src/frontend/BytecodeCompiler.cpp:407)
js::frontend::CompileGlobalScriptToStencil(JSContext * cx, js::FrontendContext * fc, js::LifoAlloc & tempLifoAlloc, js::frontend::CompilationInput & input, js::frontend::ScopeBindingCache * scopeCache, JS::SourceText<char16_t> & srcBuf, js::ScopeKind scopeKind) (gecko-dev/js/src/frontend/BytecodeCompiler.cpp:419)
CompileGlobalScriptToStencilImpl<char16_t>(JSContext * cx, const JS::ReadOnlyCompileOptions & options, JS::SourceText<char16_t> & srcBuf) (gecko-dev/js/src/frontend/Stencil.cpp:5437)
JS::CompileGlobalScriptToStencil(JSContext * cx, const JS::ReadOnlyCompileOptions & options, JS::SourceText<char16_t> & srcBuf) (gecko-dev/js/src/frontend/Stencil.cpp:5457)
Evaluate(JSContext * cx, unsigned int argc, JS::Value * vp) (gecko-dev/js/src/shell/js.cpp:2700)
CallJSNative(JSContext * cx, js::Native native, js::CallReason reason, const JS::CallArgs & args) (gecko-dev/js/src/vm/Interpreter.cpp:472)
js::InternalCallOrConstruct(JSContext * cx, const JS::CallArgs & args, js::MaybeConstruct construct, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:566)
InternalCall(JSContext * cx, const js::AnyInvokeArgs & args, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:633)
js::CallFromStack(JSContext * cx, const JS::CallArgs & args, js::CallReason reason) (gecko-dev/js/src/vm/Interpreter.cpp:638)
js::Interpret(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:3053)
MaybeEnterInterpreterTrampoline(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:386)
js::RunScript(JSContext * cx, js::RunState & state) (gecko-dev/js/src/vm/Interpreter.cpp:444)
js::ExecuteKernel(JSContext * cx, JS::HandleScript script, JS::HandleObject envChainArg, js::AbstractFramePtr evalInFrame, JS::MutableHandleValue result) (gecko-dev/js/src/vm/Interpreter.cpp:831)
js::Execute(JSContext * cx, JS::HandleScript script, JS::HandleObject envChain, JS::MutableHandleValue rval) (gecko-dev/js/src/vm/Interpreter.cpp:863)
ExecuteScript(JSContext * cx, JS::HandleObject envChain, JS::HandleScript script, JS::MutableHandleValue rval) (gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:494)
JS_ExecuteScript(JSContext * cx, JS::HandleScript scriptArg) (gecko-dev/js/src/vm/CompilationAndEvaluation.cpp:518)
RunFile(JSContext * cx, const char * filename, FILE * file, CompileUtf8 compileMethod, bool compileOnly, bool fullParse) (gecko-dev/js/src/shell/js.cpp:1218)
Process(JSContext * cx, const char * filename, bool forceTTY, FileKind kind) (gecko-dev/js/src/shell/js.cpp:1798)
ProcessArgs(JSContext * cx, js::cli::OptionParser * op) (gecko-dev/js/src/shell/js.cpp:10873)
Shell(JSContext * cx, js::cli::OptionParser * op) (gecko-dev/js/src/shell/js.cpp:11135)
main(int argc, char ** argv) (gecko-dev/js/src/shell/js.cpp:11539)
Assignee | ||
Updated•10 months ago
|
Assignee: nobody → arai.unmht
Status: NEW → ASSIGNED
Assignee | ||
Comment 2•10 months ago
|
||
Assignee | ||
Updated•10 months ago
|
Flags: needinfo?(arai.unmht)
Assignee | ||
Comment 3•10 months ago
|
||
Thank you for reporting.
this is a regression from bug 1848467.
evaluate
is a testing function which is available only on JS shell and the privileged environment (via Cu.getJSTestingFunctions()
).
Keywords: regression
Regressed by: 1848467
Comment 4•10 months ago
|
||
Set release status flags based on info from the regressing bug 1848467
status-firefox119:
--- → unaffected
status-firefox120:
--- → unaffected
status-firefox121:
--- → affected
status-firefox-esr115:
--- → unaffected
Updated•10 months ago
|
Updated•10 months ago
|
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/c7a3071d1b9a Sanitize the columnNumber of evaluate. r=iain
Comment 6•10 months ago
•
|
||
Backed out for causing spidermonkey bustages in /evaluate-negative-column.js
- backout: https://hg.mozilla.org/integration/autoland/rev/d9f2158d4d442a658bb2029948eeebd438457667
- push: https://treeherder.mozilla.org/jobs?repo=autoland&group_state=expanded&revision=c7a3071d1b9afa16d14e7d5d69081d7c4d480859
- failure log: https://treeherder.mozilla.org/logviewer?job_id=436285393&repo=autoland&lineNumber=19407
[task 2023-11-15T02:40:01.121Z] TEST-PASS | js/src/jit-test/tests/basic/evaluate-global-discardSource.js | Success (code 0, args "--ion-eager --ion-offthread-compile=off --ion-check-range-analysis --ion-extra-checks --no-sse3 --no-threads") [0.1 s]
[task 2023-11-15T02:40:01.129Z] /builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9 Error: Assertion failed: got 1, expected 0
[task 2023-11-15T02:40:01.129Z] Stack:
[task 2023-11-15T02:40:01.129Z] @/builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9
[task 2023-11-15T02:40:01.129Z] Exit code: 3
[task 2023-11-15T02:40:01.129Z] FAIL - basic/evaluate-negative-column.js
[task 2023-11-15T02:40:01.129Z] TEST-UNEXPECTED-FAIL | js/src/jit-test/tests/basic/evaluate-negative-column.js | /builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9 Error: Assertion failed: got 1, expected 0 (code 3, args "") [0.1 s]
[task 2023-11-15T02:40:01.129Z] INFO exit-status : 3
[task 2023-11-15T02:40:01.129Z] INFO timed-out : False
[task 2023-11-15T02:40:01.129Z] INFO stderr 2> /builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9 Error: Assertion failed: got 1, expected 0
[task 2023-11-15T02:40:01.129Z] INFO stderr 2> Stack:
[task 2023-11-15T02:40:01.129Z] INFO stderr 2> @/builds/worker/checkouts/gecko/js/src/jit-test/tests/basic/evaluate-negative-column.js:3:9
[task 2023-11-15T02:40:01.134Z] TEST-PASS | js/src/jit-test/tests/basic/evaluate-global-discardSource.js | Success (code 0, args "--no-blinterp --no-baseline --no-ion --more-compartments") [0.1 s]
Flags: needinfo?(arai.unmht)
Assignee | ||
Comment 7•10 months ago
|
||
oh, I mixed up the origin of error position and script position.
indeed the test should expect 1.
Flags: needinfo?(arai.unmht)
Pushed by arai_a@mac.com: https://hg.mozilla.org/integration/autoland/rev/1a5965cbca83 Sanitize the columnNumber of evaluate. r=iain
Comment 9•10 months ago
|
||
bugherder |
Status: ASSIGNED → RESOLVED
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → 121 Branch
You need to log in
before you can comment on or make changes to this bug.
Description
•